On the 6th of January, however, a massive ransomware attack, using a “traditional” ransomware payload targeted a large number of web servers that use MongoDB as database backend. It is the first time when a large scale attack targeted databases instead of document and image files: more than 10,000 databases were taken as hostage. The attacks are tracked by two security researchers: Niall Merrigan and Victor Gevers. A later update, on the 9th of January, shows nearly 28,000 databases rendered unusable.
Although the attacks only succeed if the databases are live on the internet, and do not have a password for the default administrator user, they are interesting because of the new targets and the way they work:
In spite of the fact that the vulnerability being exploited is severe and anyone with minimal security concerns would find and remediate it, a single group of attackers were able to make in excess of $6,000 in just three days (according to the update on the 9th of January)
At the same time, these attacks are different than the classic Ransomware attacks in a crucial way: they cannot be detected by ransomware detection tools or anti-virus programs:
But perhaps what’s most worrying, is the fact that these attacks go straight for the data itself, regardless of where it resides. Therefore, the file layer becomes uninteresting for ransomware attacks, and the information itself becomes the target. The solution to the ransomware problem starts moving from revolving around detection of malware or file related behavior, to requiring implementation of far more advanced detection and prevention tools such as vulnerability assessment, log analysis, correlation of activity, etc. For all we know, all vulnerability exploits that grant access to data residing in databases (regardless of the database type) may become ransomware attacks. Cyber criminals may add ransom demands to the standard methodology: that of stealing data and selling it on the black market.
All these points make the attacks unique and new to the cyber security landscape, proving the point that ransomware is evolving rapidly, not just regarding technical variety and complexity, but also regarding approach, target selection, and behavioral patterns.
Obviously, the good old security best practices are still very effective: periodic vulnerability assessment, patch management, monitoring of business services and assets that are exposed to the internet, etc. Along with those, specialized ransomware detection tools help by significantly reducing the risk of traditional ransomware attacks that affect files.
TEMASOFT develops an advanced anti ransomware software that detects and blocks most present and future ransomware and allows file recovery if successful attacks occur. This technology will soon be available. For more information, follow us on social media and subscribe to our newsletter.
This post was last modified on August 21, 2023 7:27 am
In the digital world, information is often stored and transferred through files. From the most…
Introduction Data security is more important than ever in today's fast-paced digital world. One critical…
Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…
Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…
File tracking is an important aspect of server administration, and it can help administrators detect…
File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…