Cybercriminals have targeted hundreds of Elasticsearch databases and replaced 450 indexes with ransom notes. The ransom demands total $279,000, with the average demand being $620.

The attacks 

Researchers at Secureworks have spotted the campaign and, at present, one of the Bitcoin wallet addresses has received a payment.
  • The attackers have set a deadline of seven days for the ransom payments and threaten to double the demand after that. If one more week passes without a ransom being paid, the victim would lose the indexes.
  • The victims who are ready to pay are promised a download link to their database dump, which will help them in restoring the data structure to its original state.
The attackers have used an automated script to parse unprotected databases, wipe out their data, and add the ransom note. Apparently, there is no manual engagement in this operation.

Is restoration feasible?

According to researchers, there are financial or practical challenges for an attacker to store so many databases. Therefore, restoring the database contents by agreeing to pay the ransom is an unlikely scenario.

Poor security is to blame?

  • A recent report claimed that over 100,000 Elasticsearch instances were exposed to the web in 2021, accounting for 30% of a total of 308,000 exposed databases.
  • The same report disclosed that it takes admins an average of 170 days to discover that they made a configuration mistake, leaving a lot of time for an attacker to perform malicious actions.


Elasticsearch databases exposed to the internet with poor security configurations are deemed to be targeted by cybercriminals. Thus, no database should be public-facing unless it is necessary. Moreover, if remote access is needed, admins should set up MFA for authorized users and limit access to only those who need it.

Cyware Publisher