In a recently discovered malicious campaign, Hackers have targeted 450 Elasticsearch indexes that have been replaced with ransom notes as a result of poorly secured databases. 

In those ransom notes, hackers have demanded $620 to restore each index. In short, the total amount required amount that is demanded to restore everything is $279,000.

This malicious campaign was discovered by the security experts of Secureworks security firm. Over 450 requests for ransom payments were identified by Secureworks’ cybersecurity analysts. 

In addition to setting a deadline for the payments, the threat actors threatened to double the amount if it was not paid in seven days. There is a possibility that the victims would lose their indexes if another week passes without receiving a paycheck.

Once payment is received, those who have paid the amount will be provided with a link to download their database. This link is said to help restore the data structure to its original form as soon as possible so that all of the data can be restored.

Ransom note

In exchange for access to the data, the note requests a payment of Bitcoin. There are a number of Elasticsearch indexes that exist on various versions of Elasticsearch and access to the indexes is not authenticated. 

The ransom notes were then stored as a feature in the ‘message’ field of an index that is known as ‘read_me_to_recover_database’, replacing the data stored in the databases.

More than 1,200 Elasticsearch databases containing the ransom note were discovered by researchers at CTU. 

Since the maximum number of the affected databases were hosted on cloud computing networks operated by cloud computing companies, it is not possible to determine the actual number of victims.

While the ransom payment is comparatively low according to the campaign size. There is no evidence that either wallet contained funds related to the ransomware and neither wallet appeared to have been used by the threat actor to transact any funds.

Campaign Outcomes

Similarly opportunistic attacks have occurred in the past and against other databases as well. To put it crudely, this type of malicious campaign is nothing new.

It is highly unlikely that the hackers will restore the contents of the database by paying them. Since the attacker would have a difficult and expensive time storing the data of so many databases, this isn’t a practical or economical solution.

Moreover, the security researchers have only tracked one bitcoin wallet address having received a payment on the Bitcoin ransom notes till now.

Several security mechanisms have to be implemented by organizations in order to ensure the integrity of internet-facing services and databases. 


One of the things that can be used for securing a database when remote access is needed, “multi-factor authentication” (MFA). 

As well as reviewing cloud providers’ security policies, it is important for companies to remember that data that is stored in the cloud is not automatically secured.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru is an Ex-Security Engineer at Comodo Cybersecurity. Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here