How Ransomware Authors Target Databases

Ransomware Database Targeting

The scourge of ransomware is undoubtedly the most severe cyber security concern for home users and organizations these days. It revolves around taking important data hostage and demanding money, usually hard-to-trace cryptocurrency like Monero or Bitcoin, in exchange for the recovery service. Online extortionists are constantly diversifying their attack vectors to affect as many victims as possible. The rise of database ransomware demonstrates this unsettling evolution. As per cybersecurity experts from VPNBrains.com, the threat actors who chose to zero in on servers rather than endpoints have had a huge success implementing their updated tactics.

MongoDB servers turn out to be an easy target

Ransomware Comic Cloudtweaks

A massive campaign targeting MongoDB servers broke out several years ago. It was the first-ever instance of malefactors compromising open-source database platform implementations on a large scale. A black hat hacker known in the cybercrime underground under the alias “Harak1r1” was able to identify and attack numerous poorly protected MongoDB installations across the globe. The workflow of these breaches is as follows: the crook gains unauthorized access to databases, exfiltrates their content, and replaces it with a ransom note. Server owners are instructed to submit Bitcoin payments to get the hostage data back.

Shortly after this extortion model took root, a powerful criminal group called Kraken got interested and stepped in. This involvement resulted in the increase of ransomed MongoDB servers from 10,000 to a whopping 28,000. The total amount of data stolen by the attackers reached about 93 terabytes. Several dozen victims reportedly ended up coughing up the requested ransom. However, they never got their data back. It is likely that the crooks were bluffing about the deal in that they simply erased the information without actually exporting it anywhere.

The reason why so many MongoDB instances became low-hanging fruit for the bad guys is all about the lack of caution on the administrators’ end. The campaign in question hit Internet-facing databases with the default configuration unaltered. The never-do-wells behind the attacks could, therefore, gain access to these unsecured servers by guessing or brute-forcing the password. None of this would have happened if admins had set up proper access control and authentication.

Hadoop and CouchDB databases at risk

A new wave of database attacks started hitting the headlines later too. This time, the same group of hackers went after servers running the Hadoop and CouchDB data management platforms. Similar to the above-mentioned MongoDB incidents, these breaches resulted in hijacking unsecured servers and deleting their data. The extortion part also involved a ransom demand, where the hackers pressured the infected organizations into paying Bitcoin to restore proprietary information.

Another common denominator in the two campaigns is that the fraudsters spot and compromise default installations of Hadoop and CouchDB databases with very weak authentication. Effectively, no specific malware or phishing tricks were involved – simply guessing administrative credentials was enough to pull off these attacks. The most adverse nuance of the breach’s aftermath is that the data was erased beyond recovery, so submitting the ransom could not help.

Threat Security

At about the same time, an individual who goes by the online handle “Kraken0” released a ransomware kit that automates the process of detecting and hacking into poorly protected databases. This kit was available for sale on darknet resources. The price was as low as $200. Wannabe crooks must have really appreciated such an opportunity to go pro.

MySQL databases are not much safer

Ransomware deployers did not pass by vulnerable MySQL installations either. Servers running this popular database management system were also subject to extortion attacks. Although the first wave lasted only 30 hours, it succeeded in compromising hundreds of MySQL databases globally. The anatomy of the attacks is invariable: defeat authentication and access a server, delete database content and then request ransom payment. Unfortunately, most of the time the criminals did not dump the data for real, so recovery was unfeasible.

This breach went two different routes. One of them presupposed adding a new table called “WARNING” to the existing database. This was a recovery how-to providing the attacker’s email address, a Bitcoin wallet address, and the amount to be paid. The server administrator was instructed to visit a specific page using the Tor Browser and follow further directions listed on the darknet site. The other scenario engaged a new database containing a table called “PLEASE_READ.” This edition of the ransom note told victims to submit the specified amount of cryptocurrency and then send the plagued IP address or database name to backupservice @ mail2tor.com. In either case, the perpetrators did not keep their promises and never gave the hostage data back.

The bottom line

All database hack incidents demonstrated that the data management platforms per se are not to blame for these predicaments. Whether it is MongoDB, Hadoop, CouchDB, or MySQL – each one provides plenty of security capabilities and information protection options, including advanced authentication, access control, and data encryption.

It is an unprofessional implementation of these databases that allows these attacks to get through. The malefactors can simply scan Shodan, a search engine for online-accessible devices, to find vulnerable servers. The rest is a matter of low-level hacking. We strongly recommend all web admins to keep their database software up to date and leverage security features that go with every such platform. It is advised to use all possible protection mechanisms including multifactor authorization. Keep in mind that your mobile devices can be monitored too with the help of phone tracker apps.

There are actually plenty of tips on how to secure your database. These include making use of database firewalls, separating web servers from database servers, encrypting data and backups, securing database user access, etc.

While securing the database may seem like a difficult task, each additional step you take makes a profound difference and cuts vast groups of potential hackers. Some organizations may need to use professional services to help them implement the best solutions. Hackers continue to change their techniques. It is crucial to stay up to date on all security measures available out there. Becoming aware is an excellent step to start with.

By Alex Vakulov

Cloud Image Migration
Effective Cloud Migration Monitoring The global pandemic witnessed the digital transformation of businesses in the cloud.  Today, even as the world resumes to normal, the end-to-end innovation in business strategies has kept the momentum going ...
Kelly Dyer
Achieving Data Security Compliance As individuals, we go through life sharing information about ourselves in every aspect of our daily existence. From credit checks for securing a loan, through to entire personal and family medical ...
Gilad David Maayan
Cloud Security Posture Management Cloud Security Posture Management (CSPM) enables you to secure cloud data and resources. You can integrate CSPM into your development process, to ensure continuous visibility. CSPM is particularly beneficial for DevOps ...
Frank Suglia
Managing Data Sprawl Over the last two years, our world experienced a dramatic acceleration of digital transformation. The COVID-19 pandemic upended normal operations for many businesses and shifted the pace of technology adoption into warp ...
Louis
Why Services CPQ Is Too Slow Today When PS organizations compete in sales cycles, the first competitor to have a complete quote with accurate pricing, schedules, and an engagement plan will often win. However, getting ...

PROXY SERVICES

  • Smartproxy

    Smartproxy

    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks

    Rsocks

    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.