Elasticsearch Ransom: we have been hit.

Well this happened today (and yesterday on prod). Our Elasticsearch instance was washed off and a new instance came into existance with a note…






Well this happened today (and yesterday on prod). Our Elasticsearch instance was washed off and a new instance came into existance with a note SEND 0.1 BTC TO THIS WALLET: 1Eqrzhx6yQafKm6WwKMhNAsGMxZXP7uitr IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS 4rc0s@sigaint.org HOW TO BUY BITCOIN: https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version). Since our ES wad not a main data source for our application we had no worry. We simply made our ES access private (we are working on more security related steps). The point is while I was going through the elasticsearch.log file I found the hacker had simply removed the index and there was no backup taken.

[2017-01-16 04:14:34,733][INFO ][cluster.metadata         ] [Murmur] [warning] deleting index
[2017-01-16 04:14:34,779][INFO ][cluster.metadata         ] [Murmur] [OUR_INDEX] deleting index

So their claim ... IF YOU WANT RECOVER YOUR DATABASE!..... is a hoax.

If you too have been hit with same, share your experiences and follow https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom