All Products
Document Center

Prevent database ransom events

Last Updated: May 07, 2018

From December 2016 to 2017, different types of data ransom events continuously occurred on the Internet. According to rough statistics, data-oriented ransom events include at least the following types:

  • ElasticSearch ransom
  • MongoDB ransom
  • MySQL ransom
  • Redis ransom
  • PostgreSQL ransom
  • Oracle-oriented ransom

It seems that databases exposed to the Internet without protection all suffer from ransom. Hundreds of thousands of MySQL databases open on the Internet are hijacked. Attackers delete data stored in the databases and leave ransom information, asking for payment in BitCoin to redeem the data. This problem can be a disaster for enterprise users.

Low baseline security

From the MongoDB, Elasticsearch, and MySQL database ransom events, it can be found that all victim databases are hijacked and ransomed due to low baseline security.

These ransomed user-created databases are all open on the Internet, and can be logged on with empty or weak passwords. This allows attackers to easily crack the passwords, connect to databases, and download and delete data. In addition, incorrect security group configuration and lack of network access control policies make these databases more vulnerable to hijacking.

Low baseline security has become a main cause except Web vulnerabilities for server intrusion. Especially when no network access control policy is set, the default account or an empty/weak password is used, the backend is exposed, no password is set in the backend, or unauthorized access is allowed. With incorrect configuration, related services may be exposed to the Internet and attacked by hackers. If an empty or weak password is used, hackers can more easily intrude such services at extremely low costs.

Tool-based troubleshooting

You can use a port scanning tool like NMap to directly scan the IP address of your server on the Internet, so as to check the ports and services that the business server opens to the Internet.

Note: You must be authorized to scan your own business. Do not scan other unrelated services illegally to avoid legal risks.

Security suggestions

If you find that a service is opened to the Internet during O&M, you can configure necessary access control policies by using the Windows’ firewall or Linux’s iptables firewall.

We recommend that you use the ECS security group policy to control inbound and outbound traffic on the Internet and intranet to prevent exposure of more insecure services.

We also recommend that you perform necessary security hardening to guarantee safe and reliable operation of the business on the cloud. For more information, see Security deployment guide.