​Ransom attackers plunder over 3,000 Elasticsearch clusters in days

The number of Elasticsearch implementations wiped clean by ransom attackers has climbed from 600 on Friday to over 3,000 on Monday.

Developers running Elasticsearch clusters appear not to have taken heed of last week’s security warnings from researchers and Elasticsearch’s maker, Elastic, to stop exposing these to the internet after attackers had claimed several hundred Elasticsearch clusters and replaced them with a ransom note, demanding 0.2 Bitcoin in payment.

The ransom notes and style of attack were nearly identical to a recent wave of attacks on MongoDB databases, where some 34,000 databases were wiped and replaced with a ransom note.

Security researchers Niall Merrigan and Victor Gevers, who monitored ransom attacks on MongoDB databases and maintained a spreadsheet of known attackers, have created a similar spreadsheet for tracking Elasticsearch ransoms.

The 600 ransacked Elasticsearch clusters reported by Merrigan on Friday were revised by Gevers on Monday morning to 2,813. The figure climbed to 3,234 by the afternoon. According to Gevers, the data-wiping attacks were carried out by just three groups.

According to Shodan figures, there are around 35,000 internet-facing Elasticsearch implementations. Gevers told CSO Australia that 16,280 are doing important jobs -- an assessment based on the size and names of these implementations' indexes.

The pair reckon these implementations will all be wiped within two to three weeks unless they’re locked down.

“The first actor expanded their reach from 321 to 708 “infections” within a time span of 8 hours,” the pair wrote. “At this rate and possible copycat behavior we estimated a full destruction of any internet-facing Elasticsearch within two a (sic) three weeks.”

The attackers do not in fact install malware on either MongoDB or Elasticsearch targets, but rather wipe data and falsely claim to hold a copy of the wiped data that supposedly will be returned after payment was made. So far 34,000 MongoDB instances have been wiped. Merrigan noted on Monday that MongoDB victims had paid $20,000 in Bitcoin.

Elastic on Friday posted a blog warning developers to lock down Elasticsearch clusters and offering steps to prevent exposing clusters to the ransom attacks.

“We’ve strongly recommended that unsecured Elasticsearch instances should not be directly exposed to the Internet,” Elastic’s engineering team wrote. “We’ve also put this into practice by having our default installation bind to localhost. Nonetheless, we’ve become aware that there are an increasing number of unsecured, Internet-accessible instances.”

Tags BitcoinMongoDBransomware attacksElasticsearch

Show Comments