The Anatomy of a Database-Related Ransomware Attack

The Anatomy of a Database-Related Ransomware Attack

Andrew Abwoga
14 April 2020

Cyber extortion schemes like ransomware have been at the heart of the threat landscape since the mid 2000s. The impacts of ransomware have been felt across the full spectrum of global industry and other institutions like governments, hospitals, large, medium and small businesses to individual consumers. According to the World Economic Forum (WEF) Global Risk Report 2020, cyber attacks caused by ransomware are mentioned as one of the top 10 economic risks among other risks like global warming. 

Considering the potential impact of this threat, it is prudent to understand how exactly it works to be able to put the necessary protections against it. This article seeks to explain the mechanics of ransomware attacks that specifically target databases.

Who Are the Attackers

Looking back, there have been a couple of attack campaigns and groups that have been actively targeting databases. Among the attack campaigns and groups that have been targeting databases are the MySQL and MongoDB databases GrandCab attack campaign, MongoDB attack campaign by Harak1r1 group (2016), Kraken attack campaign targeting MongoDB databases and Own3d attack group among many others, not to mention the most recent attack that saw 15000 Elasticsearch servers wiped and defaced.

How the Attacks Work

The common thing about most of these attack campaigns is the use of Ransomware-as-a-Service (RaaS) kits which borrow from the Software-as-a-Service model. RaaS software enables the attackers to launch the campaigns seamlessly. All they need is a subscription to a dark web site that hosts the RaaS platform created by other cybercriminals. Normally, these kits are built to attack databases in masses though there are some minor cases where they have been used by individuals to attack their employers as a form of vengeance. These kits have an array  of tactics, techniques and procedures (TTPs) that they use to successfully compromise their victims. Among those TTPs are the ones listed below: 

  1. Scanning for databases with open ports on the internet.
  2. Searching for the databases with open ports and common vulnerabilities in search engines like Shodan.
  3. Password dictionary attacks using default or obvious passwords.
  4. Exploitation of common vulnerabilities on the database servers.
  5. Deletion and exfiltration of data.
  6. Implantation of messages on the databases that ask victims to pay for ransom to get their data back.
  7. Tracking of victims using online spreadsheets.

How to Stop the Attacks

Thinking about these TTPs, there are key considerations that come to mind when it comes to protecting databases from ransomware attacks. Most of these considerations are synonymous to the notion of doing the basic things in life like “eating your vegetables” to prevent diseases. To put it into perspective, having very basic security measures in place can help curb these kinds of attacks. Below are some recommendations that will help prevent this kind of attacks:

  1. Backup and have a solid backup strategy in that case to ensure you don't have complete loss of your data.
  2. Patch your databases against known vulnerabilities to prevent exploitation and unauthorized access to your data.
  3. Ensure you employ secure configuration management tools or procedures for your database deployments to disable unneeded services and stop other potential attack vectors.
  4. Ensure you provide least privilege access to your databases to protect yourself from potential insider threats.
  5. Ensure your monitoring, logging and alerting efforts align with the TTPs to detect and prevent the attack at its early stages.

How to Secure MongoDB

For more details on how to prevent your MongoDB databases from ransomware, check out these 10 tips