The threat analysts at Secureworks have spotted the new malicious campaign aimed on poorly secured Elasticsearch databases. The threat actors have replaced 450 indexes with ransom notes demanding $620 to restore contents. If every victim pays the ransom, the hackers will get demand of $279,000.
Using an automated script hackers parsed unprotected databases, wiped their data, and added the ransom note. Victims have to pay in seven days, otherwise the ransom amount will double. If they refuse to pay in another seven days, access to indexes will be lost forever.
After receiving the required amount, the threat actors will download a link to the victim’s database dump. It is promised that this link will help to restore all indexes. But cyber criminals’ promises cannot be trusted, can they? Even if the victim will pay the ransom, it’s very unlikely that the threat actors will keep their promise and help to restore affected databases.
The thing is, it is very unpractical for cyber criminals to store big amounts of content. Most likely, they simply delete the contents of the attacked databases and leave a ransom note with no chance to restore. That’s why it is vital for database owners to take regular backups, so they could restore all the content in case of its lost.
At this point it looks like at least one victim have paid the ransom since one of the Bitcoin wallets listed in the ransom notes has received one payment.
Possible consequences of this kind of security incident include significant financial damages, data leaks and possible business disruption that could cost a lot more than the ransom amount.