Week after week, ransomware attacks on database servers are increasing. In the beginning of the 2017, MongoDB was victimized and then ElasticSearch clusters were also taken over by the ransomware attackers. These attacks were performed for multi-purposes. Some of them demanded ransom and some of them didn’t. In some cases, we witnessed sort of ransomware attacks performed just for fun. Last week, anonymous group of cyberpunks compromised server of CouchDB and Hadoop and wiped critical data from their databases. What’s surprising, attackers are demanding ransom from CouchDB in order to return stolen (or encrypted) files but on the other hand, they are destroying data of Hadoop Database just for fun.
Purposes of these ransomware attacks
These attacks patterns are being monitored by the two freelancer security experts – Niall Marrigan and Victor Gevers from the beginning. They made public some evidences against an unknown attacker using the name ‘NODATA4U’ for accessing Hadoop Data Stores, Wiping critical data and overwriting database tables with an entry name ‘NODATA4U_SECUREYOURSHIT’. At the time of writing the news, security investigators found 124 Hadoop servers databases were corrupted by replacing the same entry name. Have a look at following image:
What’s surprising, the attackers are not demanding any ransom amount from officials of Hadoop Database Store. Hence, it seems to be vandalism. Moreover, attackers are deleting data from the compromised server too slowly while they can destroy all the data just in few seconds. What’s real reason behind this attack is still not made public by the ransomware attackers.
Whereas attack on CouchDB servers is for ransom pay off
Security investigators informed that unlike attacks on Hadoop or MongoDB, CouchDB servers are compromised in order to boost up Bitcoin wallet balance. Attackers have asked officials of CouchDB to pay off ransom 0.1 BTC for helping in data recovery. Attackers used the name – R3L4X for accessing 443 CouchDB servers and stealing database files. There is no confirmation that which group is performing such destructive attacks.