Over the last week, we've been regularly monitoring multiple storage/database technologies for ransomware, it all started with MongoDB, however other technologies are now being affected. This is nothing new to BinaryEdge, has we had previously shown how these technologies, when misconfigured can present themselves as big problems.

We've seen MongoDB, Redis, ElasticSearch, Hadoop, Cassandra, CouchDB falling to ransomware attacks.

We will keep updating this compendium with new database names that we find associated with Ransomware and new technologies.

MongoDB###

We're seeing multiple players attacking MongoDB, regular scans show changes in database names, where in some cases we saw "WARNING" on top on a second scan "PLEASE_READ_ME" was in the lead (these scans were 24 hours apart), this shows that hackers are competing for machines/databases and there are lots of different attacks happening simultaneously.

Scan made on 16th of January

Scan made on 17th of January

The list of ransomware names we've found for mongoDB are:

CONTACTME

WARNING

ENCRYPTED

PWNED_SECURE_YOUR_STUFF_SILLY

PLEASE_READ

PLEASE_READ_ME

README_MISSING_DATABASES

READ1

README

README_YOU_DB_IS_INSECURE

To learn how to secure your MongoDB please go to: http://docs.mongodb.org/manual/security/

Redis###

Ransomware on Redis has previously been detected by DuoSecurity. This is something that is still happening. If you want to check if your redis instance has been attacked, check your keys using the "KEYS *" command on redis command line, and if you have a key named crackit you might be affected.

ElasticSearch###

We're seeing multiple instances of ElasticSearch also being targeted by ransomware, to see if you've been affected you check your index names and see if any of the following are present (https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-indices.html).

The index names we've seen being used as ransomware on elasticsearch are:

pleasereadthis

please_read

warning

Hadoop###

Hadoop is another technology that has also been affected by ransomware attacks.

If you want to see if your instance of Hadoop is affected, visit the following URL on your Hadoop instance: http:// :50070/explorer.html#/

For Hadoop the indexes we've seen the following key being used:

NODATA4U_SECUREYOURSHIT

On the 17th of January, we have already seen over 1000 instances of Hadoop already affected by ransomware.

Cassandra###

Cassandra is a high scalability and high availability database.

To see if your Cassandra instance was compromised, look at your Keyspaces (this can be done using cqlsh and using the command DESCRIBE keyspaces; ) and see if you have any of the following:

your_db_is_not_secure

CouchDB###

CouchDB instances are also being compromised. To verify if your instance has been compromised you can visit

http:// :5984/_all_dbs and check the name of the databases for some of the following:

pleaseread

pleasereadme

To secure your CouchDB instance please add authentication by following the steps on this link: http://docs.couchdb.org/en/2.0.0/api/server/authn.html