Ransomware attacks hit Elasticsearch databases

BleepingComputer reports that vulnerable Elasticsearch databases have been targeted by threat actors who have demanded a total of $279,000 to restore 450 replaced indexes. Attackers who have threatened to increase the ransom by twofold should the payment not be given within a week were discovered by Secureworks researchers to have leveraged an automated script to facilitate database parsing, data deletion, and ransom posting. Similar attacks against database management systems in the past should prompt organizations to ensure regular data backups in order to prevent substantial losses and business disruptions, according to Secureworks. Database admins have also been urged to ensure that their databases are not publicly exposed and that multi-factor authentication should be enabled for remotely accessible databases. The findings come after Group-IB reported that nearly 30% of 308,000 exposed databases last year were Elasticsearch instances. Admins spent 170 days on average to realize database misconfigurations, indicating the significant duration of potential exploitation by threat actors.