Well this happened today (and yesterday on prod). Our Elasticsearch instance was washed off and a new instance came into existance with a note
SEND 0.1 BTC TO THIS WALLET: 1Eqrzhx6yQafKm6WwKMhNAsGMxZXP7uitr IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS email@example.com HOW TO BUY BITCOIN: https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version).
Since our ES wad not a main data source for our application we had no worry. We simply made our ES access private (we are working on more security related steps).
The point is while I was going through the
elasticsearch.log file I found the hacker had simply removed the index and there was no backup taken.
[2017-01-16 04:14:34,733][INFO ][cluster.metadata ] [Murmur] [warning] deleting index [2017-01-16 04:14:34,779][INFO ][cluster.metadata ] [Murmur] [OUR_INDEX] deleting index
So their claim
... IF YOU WANT RECOVER YOUR DATABASE!..... is a hoax.
If you too have been hit with same, share your experiences and follow https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom