The contents of ElasticSearch private databases are being ransomed back to their owners
The contents of ElasticSearch private databases are being ransomed back to their owners

A group of MongoDB bandits have moved onto Java based search engine ElasticSearch. Starting yesterday, ElasticSearch servers were being hijacked and the data ransomed back to their owners.

According to reports, researchers have spotted at least 600 ransacked servers, thought to be exploited because of weak passwords.

Users are being extorted to recover their ElasticSearch data, by a group calling itself  P1l4t0s. Ransom notes have asked for 0.2 bitcoin (£131) to be sent to a particular wallet, although only one ransom appears to have been paid.

These attacks are apparently a continuation of attacks on MongoDB databases where hackers have been following largely the same strategy: access internet accessible personal databases through exploiting weak passwords before wrecking those databases and extorting their owners for the return of their data.

The attacks on MongoDB were first reported by security researcher Victor Gevers.  Adversaries were apparently hitting MongoDB servers since late December last year, replacing the content that should be there and then demanding money.

Terry Ray, chief product strategist at Imperva, told SC Media UK he finds it interesting that “the criminals here have decided that there is more money to be made by extortion than through the sale of the data on the dark web.  But then again, even if a company pays the ransom, there is no guarantee that the hackers won't also try to monetise the data.”

Ray added, for the companies affected, “the real cost is the downtime associated with not being able to access critical systems. This is a prime example of why it is important to continuously monitor data where it lives and to block the actions of malicious actors.”

Javvad Malik, security advocate at AlienVault, told SC that users have to take some of the responsibility in cases like this. “Like MongoDB, the ElasticSearch attacks are not so much about the technologies themselves, but in the way people have implemented them using either default configurations or weak passwords,” he said.

“It highlights the disconnect between many developers from good security practices. Appearing as if getting functionality working takes precedence over security.”