Secureworks security researchers have identified a new attack campaign targeting misconfigured Elasticsearch databases. Threat actors demand ransom payments from targets by altering the database content on vulnerable Elasticsearh servers with their ransom notes.
The threat actors conduct the campaign by deleting the vulnerable database contents and adding ransom notes via an automated script. If the targets do not pay the ransom demanded by the threat actors within seven days, the ransom fee is doubled, and access to the content is lost without return. Upon the execution of the requested ransom payment by the targets, the threat actors download a link to the database session of the targets. It is claimed that the link in question will enable the restoration of all compromised directories. However, at this stage, promises made by threat actors should not be respected because it is impractical for threat actors to store large amounts of content. Most likely, the contents of the hacked databases are deleted, but ransom notes are left promising to restore the contents to the system. Therefore, database administrators need to take regular backups.
These and similar security breaches can lead to loss of reputation, data leakage, and possible service interruptions that may cost much more than the ransom amount of the affected institutions/organizations and organizations. In this context, it is recommended to use the current versions of the systems and programs, take regular backups of critical systems/files, perform attack surface analysis tests at regular intervals, and use comprehensive security solutions.