New ransomware attacks databases instead of files in large scale attack

Up until recently, ransomware was targeting document and image files, as they usually hold information that is needed by the victims. Most ransomware families had hard-coded detection of such files for the purpose of rendering them unusable.  Some ransomware families rely on volume encryption and would encrypt everything, after first having disabled the operating system and booting their code (see the Petya family). Such examples would be file agnostic, but their success rate is lower than the one of the “traditional” ransomware families, like CryptoLocker, because of the sensitive, high privileged operations being required for infection (alter the master boot record).

On the 6th of January, however, a massive ransomware attack, using a “traditional” ransomware payload targeted a large number of web servers that use MongoDB as database backend. It is the first time when a large scale attack targeted databases instead of document and image files: more than 10,000 databases were taken as hostage. The attacks are tracked by two security researchers: Niall Merrigan and Victor Gevers. A later update, on the 9th of January, shows nearly 28,000 databases rendered unusable.

Although the attacks only succeed if the databases are live on the internet, and do not have a password for the default administrator user, they are interesting because of the new targets and the way they work:

  • Targets are selected automatically based on a vulnerability scan;
  • The attacks are scripted, not launched manually as part of phishing or spam email campaigns;
  • Once the database is confirmed as vulnerable, the malicious scripts download and then replace the contents of the database with a ransom note
  • Multiple groups run these scripts so the same database may get attacked by 3-4 distinct groups, asking for a variable amount of payment and using different bitcoin addresses;
  • There are cases when the download of original database data fails, case in which the data is lost as attackers replace all contents with a ransom note.
  • Also, when multiple groups attack the same database, the contents will not be recoverable.

In spite of the fact that the vulnerability being exploited is severe and anyone with minimal security concerns would find and remediate it, a single group of attackers were able to make in excess of $6,000 in just three days (according to the update on the 9th of January)

At the same time, these attacks are different than the classic Ransomware attacks in a crucial way: they cannot be detected by ransomware detection tools or anti-virus programs:

  • The attacks do not launch a program on the target machine;
  • The attacks do not execute code that manipulates files: most anti ransomware tools look at how files are being manipulated to detect ransomware;
  • The attacks exploit vulnerabilities which allow direct access to the attacked resource, in a similar way as a legitimate access request;

But perhaps what’s most worrying, is the fact that these attacks go straight for the data itself, regardless of where it resides. Therefore, the file layer becomes uninteresting for ransomware attacks, and the information itself becomes the target. The solution to the ransomware problem starts moving from revolving around detection of malware or file related behavior, to requiring implementation of far more advanced detection and prevention tools such as vulnerability assessment, log analysis, correlation of activity, etc. For all we know, all vulnerability exploits that grant access to data residing in databases (regardless of the database type) may become ransomware attacks. Cyber criminals may add ransom demands to the standard methodology: that of stealing data and selling it on the black market.

All these points make the attacks unique and new to the cyber security landscape, proving the point that ransomware is evolving rapidly, not just regarding technical variety and complexity, but also regarding approach, target selection, and behavioral patterns.

What can be done

Obviously, the good old security best practices are still very effective: periodic vulnerability assessment, patch management, monitoring of business services and assets that are exposed to the internet, etc. Along with those, specialized ransomware detection tools help by significantly reducing the risk of traditional ransomware attacks that affect files.

TEMASOFT develops an advanced anti ransomware software that detects and blocks most present and future ransomware and allows file recovery if successful attacks occur. This technology will soon be available. For more information, follow us on social media and subscribe to our newsletter.