How Ransomware Authors Target Databases

Ransomware Database Targeting

The scourge of ransomware is undoubtedly the most severe cyber security concern for home users and organizations these days. It revolves around taking important data hostage and demanding money, usually hard-to-trace cryptocurrency like Monero or Bitcoin, in exchange for the recovery service. Online extortionists are constantly diversifying their attack vectors to affect as many victims as possible. The rise of database ransomware demonstrates this unsettling evolution. As per cybersecurity experts from VPNBrains.com, the threat actors who chose to zero in on servers rather than endpoints have had a huge success implementing their updated tactics.

MongoDB servers turn out to be an easy target

Ransomware Comic Cloudtweaks

A massive campaign targeting MongoDB servers broke out several years ago. It was the first-ever instance of malefactors compromising open-source database platform implementations on a large scale. A black hat hacker known in the cybercrime underground under the alias “Harak1r1” was able to identify and attack numerous poorly protected MongoDB installations across the globe. The workflow of these breaches is as follows: the crook gains unauthorized access to databases, exfiltrates their content, and replaces it with a ransom note. Server owners are instructed to submit Bitcoin payments to get the hostage data back.

Shortly after this extortion model took root, a powerful criminal group called Kraken got interested and stepped in. This involvement resulted in the increase of ransomed MongoDB servers from 10,000 to a whopping 28,000. The total amount of data stolen by the attackers reached about 93 terabytes. Several dozen victims reportedly ended up coughing up the requested ransom. However, they never got their data back. It is likely that the crooks were bluffing about the deal in that they simply erased the information without actually exporting it anywhere.

The reason why so many MongoDB instances became low-hanging fruit for the bad guys is all about the lack of caution on the administrators’ end. The campaign in question hit Internet-facing databases with the default configuration unaltered. The never-do-wells behind the attacks could, therefore, gain access to these unsecured servers by guessing or brute-forcing the password. None of this would have happened if admins had set up proper access control and authentication.

Hadoop and CouchDB databases at risk

A new wave of database attacks started hitting the headlines later too. This time, the same group of hackers went after servers running the Hadoop and CouchDB data management platforms. Similar to the above-mentioned MongoDB incidents, these breaches resulted in hijacking unsecured servers and deleting their data. The extortion part also involved a ransom demand, where the hackers pressured the infected organizations into paying Bitcoin to restore proprietary information.

Another common denominator in the two campaigns is that the fraudsters spot and compromise default installations of Hadoop and CouchDB databases with very weak authentication. Effectively, no specific malware or phishing tricks were involved – simply guessing administrative credentials was enough to pull off these attacks. The most adverse nuance of the breach’s aftermath is that the data was erased beyond recovery, so submitting the ransom could not help.

Threat Security

At about the same time, an individual who goes by the online handle “Kraken0” released a ransomware kit that automates the process of detecting and hacking into poorly protected databases. This kit was available for sale on darknet resources. The price was as low as $200. Wannabe crooks must have really appreciated such an opportunity to go pro.

MySQL databases are not much safer

Ransomware deployers did not pass by vulnerable MySQL installations either. Servers running this popular database management system were also subject to extortion attacks. Although the first wave lasted only 30 hours, it succeeded in compromising hundreds of MySQL databases globally. The anatomy of the attacks is invariable: defeat authentication and access a server, delete database content and then request ransom payment. Unfortunately, most of the time the criminals did not dump the data for real, so recovery was unfeasible.

This breach went two different routes. One of them presupposed adding a new table called “WARNING” to the existing database. This was a recovery how-to providing the attacker’s email address, a Bitcoin wallet address, and the amount to be paid. The server administrator was instructed to visit a specific page using the Tor Browser and follow further directions listed on the darknet site. The other scenario engaged a new database containing a table called “PLEASE_READ.” This edition of the ransom note told victims to submit the specified amount of cryptocurrency and then send the plagued IP address or database name to backupservice @ mail2tor.com. In either case, the perpetrators did not keep their promises and never gave the hostage data back.

The bottom line

All database hack incidents demonstrated that the data management platforms per se are not to blame for these predicaments. Whether it is MongoDB, Hadoop, CouchDB, or MySQL – each one provides plenty of security capabilities and information protection options, including advanced authentication, access control, and data encryption.

It is an unprofessional implementation of these databases that allows these attacks to get through. The malefactors can simply scan Shodan, a search engine for online-accessible devices, to find vulnerable servers. The rest is a matter of low-level hacking. We strongly recommend all web admins to keep their database software up to date and leverage security features that go with every such platform. It is advised to use all possible protection mechanisms including multifactor authorization. Keep in mind that your mobile devices can be monitored too with the help of phone tracker apps.

There are actually plenty of tips on how to secure your database. These include making use of database firewalls, separating web servers from database servers, encrypting data and backups, securing database user access, etc.

While securing the database may seem like a difficult task, each additional step you take makes a profound difference and cuts vast groups of potential hackers. Some organizations may need to use professional services to help them implement the best solutions. Hackers continue to change their techniques. It is crucial to stay up to date on all security measures available out there. Becoming aware is an excellent step to start with.

By Alex Vakulov

Disaster Recovery Plan.png
The Manuscript.png
Data Fallout.png
David Fletcher Blown Image
Martin Mendelsohn
The Colonial Pipeline Dilemma The Colonial Pipeline is one of a number of essential energy and infrastructure assets that have been recently targeted by the global ransomware group DarkSide, and other aspiring non-state actors, with ...
Derrek Schutman
Implementing Digital Capabilities Successfully Building robust digital capabilities can deliver huge benefits to Digital Service Providers (DSPs). A recent TMForum survey shows that building digital capabilities (including digitization of customer experience and operations), is the ...
Dana Gardner
Just as cloud computing initially seeped into organizations under the cloak of shadow IT, application programming interface (API) adoption has often followed an organic, inexact, and unaudited path. IT leaders know they’re benefiting from APIs -- ...
Matrix
When sci-fi films like Tom Cruise’s Oblivion depict humans living in the clouds, we imagine that humanity might one day leave our primitive dwellings attached to the ground and ascend to floating castles in the ...
Shireesh Thota
Here’s How to Position Your Organization for the Era of Data Intensity We live in a data-intensive era. Data is booming. Companies are realizing that data is one of the most important assets and they ...
  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.