Privacy Ninja

Hundreds of Elasticsearch Databases Targeted in Ransom Attacks

Hundreds of Elasticsearch Databases Targeted in Ransom Attacks

Hackers have targeted poorly secured Elasticsearch databases and replaced 450 indexes with ransom notes asking for $620 to restore contents, amounting to a total demand of $279,000.

The threat actors set a seven-day deadline for the payments and threaten to double the demand after that. If another week passes without getting paid, they say the victim would lose the indexes.

Those who pay the amount are promised a download link to their database dump that will supposedly help restore the data structure to its original form quickly.

This campaign was discovered by threat analysts at Secureworks, who identified more than 450 individual requests for ransom payment.

Also Read: 5 Tips In Using Assessment Tools To A Successful Businesses

According to Secureworks, the threat actors use an automated script to parse unprotected databases, wipe their data, and add the ransom, so there doesn’t appear to be any manual engagement in this operation.

Ransom note dropped on wiped databases
Ransom note dropped on wiped databases (Secureworks)

Campaign consequences

This campaign is not new, and we have seen similar opportunistic attacks numerous times before, and against other database management systems, too [123].

Restoring the database contents by paying the hackers is an unlikely scenario, as the practical and financial challenge for the attacker to store the data of so many databases is unfeasible.

Instead, the threat actors simply delete the contents of the unprotected database and leave a ransom note, hoping that the victim will believe their claims. So far, one of the Bitcoin wallet addresses seen in the ransom notes has received one payment.

One of the Bitcoin addresses used in the campaign
One of the Bitcoin addresses used in the campaign (

However, for the data owners, if they don’t take regular backups, losing everything from such a wipe is more than likely to lead to significant financial damages.

Some of these databases support online services, so there’s always the risk of business disruption that could cost a lot more than the small amount demanded by the crooks.

Also, organizations should never exclude the possibility that the intruders steal the data to monetize it in various ways.

Elasticsearch security

Unfortunately, for as long as databases are exposed on the public face of the internet without securing them properly, these opportunistic attacks will continue to target them.

recent report by Group-IB shows that over 100,000 Elasticsearch instances were found exposed on the web in 2021, accounting for about 30% of a total of 308,000 exposed databases in 2021.

Also Read: Intrusion Into Privacy All About Law And Legal Definition

Total number of exposed databases detected
Total number of exposed databases detected from the start of 2021 (Group-IB)

According to the same report, it takes database admins an average of 170 days to realize they have made a configuration mistake, leaving plenty of time for malicious actors to perform attacks.

As Secureworks underlines, no database should be public-facing unless it’s essential for their role. Moreover, if remote access is required, admins should set up multi-factor authentication for authorized users and restrict access to relevant individuals only.

Organizations that outsource these services to cloud providers should ensure that the vendor’s security policies are compatible with their standards and that all data is adequately protected.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us