April 22, 2022

How Ransomware Authors Target Databases

By Alex Vakulov

Ransomware Database Targeting

The scourge of ransomware is undoubtedly the most severe cyber security concern for home users and organizations these days. It revolves around taking important data hostage and demanding money, usually hard-to-trace cryptocurrency like Monero or Bitcoin, in exchange for the recovery service. Online extortionists are constantly diversifying their attack vectors to affect as many victims as possible. The rise of database ransomware demonstrates this unsettling evolution. As per cybersecurity experts from VPNBrains.com, the threat actors who chose to zero in on servers rather than endpoints have had a huge success implementing their updated tactics.

MongoDB servers turn out to be an easy target

Ransomware Comic Cloudtweaks

A massive campaign targeting MongoDB servers broke out several years ago. It was the first-ever instance of malefactors compromising open-source database platform implementations on a large scale. A black hat hacker known in the cybercrime underground under the alias “Harak1r1” was able to identify and attack numerous poorly protected MongoDB installations across the globe. The workflow of these breaches is as follows: the crook gains unauthorized access to databases, exfiltrates their content, and replaces it with a ransom note. Server owners are instructed to submit Bitcoin payments to get the hostage data back.

Shortly after this extortion model took root, a powerful criminal group called Kraken got interested and stepped in. This involvement resulted in the increase of ransomed MongoDB servers from 10,000 to a whopping 28,000. The total amount of data stolen by the attackers reached about 93 terabytes. Several dozen victims reportedly ended up coughing up the requested ransom. However, they never got their data back. It is likely that the crooks were bluffing about the deal in that they simply erased the information without actually exporting it anywhere.

The reason why so many MongoDB instances became low-hanging fruit for the bad guys is all about the lack of caution on the administrators’ end. The campaign in question hit Internet-facing databases with the default configuration unaltered. The never-do-wells behind the attacks could, therefore, gain access to these unsecured servers by guessing or brute-forcing the password. None of this would have happened if admins had set up proper access control and authentication.

Hadoop and CouchDB databases at risk

A new wave of database attacks started hitting the headlines later too. This time, the same group of hackers went after servers running the Hadoop and CouchDB data management platforms. Similar to the above-mentioned MongoDB incidents, these breaches resulted in hijacking unsecured servers and deleting their data. The extortion part also involved a ransom demand, where the hackers pressured the infected organizations into paying Bitcoin to restore proprietary information.

Another common denominator in the two campaigns is that the fraudsters spot and compromise default installations of Hadoop and CouchDB databases with very weak authentication. Effectively, no specific malware or phishing tricks were involved – simply guessing administrative credentials was enough to pull off these attacks. The most adverse nuance of the breach’s aftermath is that the data was erased beyond recovery, so submitting the ransom could not help.

Threat Security

At about the same time, an individual who goes by the online handle “Kraken0” released a ransomware kit that automates the process of detecting and hacking into poorly protected databases. This kit was available for sale on darknet resources. The price was as low as $200. Wannabe crooks must have really appreciated such an opportunity to go pro.

MySQL databases are not much safer

Ransomware deployers did not pass by vulnerable MySQL installations either. Servers running this popular database management system were also subject to extortion attacks. Although the first wave lasted only 30 hours, it succeeded in compromising hundreds of MySQL databases globally. The anatomy of the attacks is invariable: defeat authentication and access a server, delete database content and then request ransom payment. Unfortunately, most of the time the criminals did not dump the data for real, so recovery was unfeasible.

This breach went two different routes. One of them presupposed adding a new table called “WARNING” to the existing database. This was a recovery how-to providing the attacker’s email address, a Bitcoin wallet address, and the amount to be paid. The server administrator was instructed to visit a specific page using the Tor Browser and follow further directions listed on the darknet site. The other scenario engaged a new database containing a table called “PLEASE_READ.” This edition of the ransom note told victims to submit the specified amount of cryptocurrency and then send the plagued IP address or database name to backupservice @ mail2tor.com. In either case, the perpetrators did not keep their promises and never gave the hostage data back.

The bottom line

All database hack incidents demonstrated that the data management platforms per se are not to blame for these predicaments. Whether it is MongoDB, Hadoop, CouchDB, or MySQL – each one provides plenty of security capabilities and information protection options, including advanced authentication, access control, and data encryption.

It is an unprofessional implementation of these databases that allows these attacks to get through. The malefactors can simply scan Shodan, a search engine for online-accessible devices, to find vulnerable servers. The rest is a matter of low-level hacking. We strongly recommend all web admins to keep their database software up to date and leverage security features that go with every such platform. It is advised to use all possible protection mechanisms including multifactor authorization. Keep in mind that your mobile devices can be monitored too with the help of phone tracker apps.

There are actually plenty of tips on how to secure your database. These include making use of database firewalls, separating web servers from database servers, encrypting data and backups, securing database user access, etc.

While securing the database may seem like a difficult task, each additional step you take makes a profound difference and cuts vast groups of potential hackers. Some organizations may need to use professional services to help them implement the best solutions. Hackers continue to change their techniques. It is crucial to stay up to date on all security measures available out there. Becoming aware is an excellent step to start with.

By Alex Vakulov

Alex Vakulov

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.
Stacey Farrar

Six Things to Consider When Choosing Between Free and Paid Migration Tools

Choosing Between Free and Paid Migration Tools Microsoft recently decided to stop offering its free [...]
Read more
Oxylabs

Episode 15: The Power of Data Scraping

A conversation with Aleksandras Šulženko – Product owner at Oxylabs.io In a global economy where [...]
Read more
Nagaraj Kuppuswamy

Next-Generation Threats: Securing Multi-Cloud Environment

Next-Generation Threats Using cloud services from multiple cloud service providers is the fundamental tenet of [...]
Read more
Stacey Farrar

Copilot Is Here: What to know before migrating to Microsoft 365

Migrating to Microsoft 365 Microsoft is the latest company to unveil enhanced artificial intelligence (AI) [...]
Read more
Frank Suglia

Forecasting Cloud Trends in 2024

The past few years have rapidly accelerated cloud adoption and impacted the overall IT landscape. [...]
Read more
Jennifer Nwokolo

8 Useful Tools For Risk Assessment and Management

Risk Assessment and Management Risks are inevitable in every business venture. Generally, most organizations aim [...]
Read more

SPONSOR PARTNER

Explore top-tier education with exclusive savings on online courses from MIT, Oxford, and Harvard through our e-learning sponsor. Elevate your career with world-class knowledge. Start now!
© 2024 CloudTweaks. All rights reserved.