[Update] Active attacks now include: MongoDB, Elasticsearch and Hadoop.

Two weeks ago the Internet was hit with the first in what has become a frightening trend of ransom attacks. This first attack affected fewer than 200 MongoDB installations and for the most part flew under the radar given the meager sum requested by the attacker (0.2 Bitcoins). However, this attack marked a significant shift in ransom attack model and just two weeks later we’re seeing a major escalation of this model and its impact.

What began with publicly accessible MongoDB databases has grown to include Elasticsearch clusters, and is now reported to be affecting other technologies. The first report of an Elasticsearch cluster being hit appeared on the official support forums on Thursday from a user who was running a test deployment accessible from the Internet. Today, at least 34,000 MongoDB databases have been erased while the number of Elasticsearch instances has reached over 1,600 and counting.

Currently, the technologies most at risk include:

  • MongoDB
  • Elasticsearch
  • Redis
  • Cassandra
  • Hadoop

We expect attackers to move on to other technologies and services that can store large volumes of data, and that can be accessed from the Internet.

What to do

If you have unsecured, Internet-facing datastores or filestores we urgently recommend the following steps:

  1. Perform backups of your data
  2. Configure authentication on your datastore if it’s available
  3. Reconfigure your environment to isolate your datastores from the Internet
  4. If isolation isn’t possible, restrict access via IP white-lists

We also recommend immediate, non-automated adversarial assessment of your Internet perimeter. Attackers are looking for any data of value that they can access on a programmatic basis and delete, and Bugcrowd expects this new data ransom trend to continue, and for the techniques used to evolve rapidly and creatively.

It is possible to prevent prevent these attacks. If you’re database is vulnerable, it’s important to take the steps above to block access and thwart an attack.