Blog

New ransomware attacks databases instead of files in large scale attack

Up until recently, ransomware was targeting document and image files, as they usually hold information that is needed by the victims. Most ransomware families had hard-coded detection of such files for the purpose of rendering them unusable.  Some ransomware families rely on volume encryption and would encrypt everything, after first having disabled the operating system and booting their code (see the Petya family). Such examples would be file agnostic, but their success rate is lower than the one of the “traditional” ransomware families, like CryptoLocker, because of the sensitive, high privileged operations being required for infection (alter the master boot record).

On the 6th of January, however, a massive ransomware attack, using a “traditional” ransomware payload targeted a large number of web servers that use MongoDB as database backend. It is the first time when a large scale attack targeted databases instead of document and image files: more than 10,000 databases were taken as hostage. The attacks are tracked by two security researchers: Niall Merrigan and Victor Gevers. A later update, on the 9th of January, shows nearly 28,000 databases rendered unusable.

Although the attacks only succeed if the databases are live on the internet, and do not have a password for the default administrator user, they are interesting because of the new targets and the way they work:

  • Targets are selected automatically based on a vulnerability scan;
  • The attacks are scripted, not launched manually as part of phishing or spam email campaigns;
  • Once the database is confirmed as vulnerable, the malicious scripts download and then replace the contents of the database with a ransom note
  • Multiple groups run these scripts so the same database may get attacked by 3-4 distinct groups, asking for a variable amount of payment and using different bitcoin addresses;
  • There are cases when the download of original database data fails, case in which the data is lost as attackers replace all contents with a ransom note.
  • Also, when multiple groups attack the same database, the contents will not be recoverable.

In spite of the fact that the vulnerability being exploited is severe and anyone with minimal security concerns would find and remediate it, a single group of attackers were able to make in excess of $6,000 in just three days (according to the update on the 9th of January)

At the same time, these attacks are different than the classic Ransomware attacks in a crucial way: they cannot be detected by ransomware detection tools or anti-virus programs:

  • The attacks do not launch a program on the target machine;
  • The attacks do not execute code that manipulates files: most anti ransomware tools look at how files are being manipulated to detect ransomware;
  • The attacks exploit vulnerabilities which allow direct access to the attacked resource, in a similar way as a legitimate access request;

But perhaps what’s most worrying, is the fact that these attacks go straight for the data itself, regardless of where it resides. Therefore, the file layer becomes uninteresting for ransomware attacks, and the information itself becomes the target. The solution to the ransomware problem starts moving from revolving around detection of malware or file related behavior, to requiring implementation of far more advanced detection and prevention tools such as vulnerability assessment, log analysis, correlation of activity, etc. For all we know, all vulnerability exploits that grant access to data residing in databases (regardless of the database type) may become ransomware attacks. Cyber criminals may add ransom demands to the standard methodology: that of stealing data and selling it on the black market.

All these points make the attacks unique and new to the cyber security landscape, proving the point that ransomware is evolving rapidly, not just regarding technical variety and complexity, but also regarding approach, target selection, and behavioral patterns.

What can be done

Obviously, the good old security best practices are still very effective: periodic vulnerability assessment, patch management, monitoring of business services and assets that are exposed to the internet, etc. Along with those, specialized ransomware detection tools help by significantly reducing the risk of traditional ransomware attacks that affect files.

TEMASOFT develops an advanced anti ransomware software that detects and blocks most present and future ransomware and allows file recovery if successful attacks occur. This technology will soon be available. For more information, follow us on social media and subscribe to our newsletter.

This post was last modified on August 21, 2023 7:27 am

Calin Ghibu

Technical background: over 15 years experience in testing, developing, researching and managing network security solutions. Currently focusing on information security and IT management. Specialties: Network audit, information security, web security, endpoint security, perimeter security SIEM, legal compliance, competitive intelligence.

Share
Published by
Calin Ghibu
Tags: ranstop

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023