As ransomware attacks soared last year, opinions divided on whether victims should pay the ransom to recover their encrypted data. A year ago, it looked like there was a good chance that paying meant getting the data back, but that seems to be no longer the case.
As the attacks against MongoDB installations around the world continue, with the latest number of compromised databases ranging between 29,000 to more than 32,000 depending on whom you ask, virtually none of the victims who have paid the ransom have gotten their data back.
In fact, many ransom payments are going to criminals who didn't compromise the database in the first place. One attacker steals the data, wipes the database, and leaves behind the ransom note. Another attacker comes along and overwrites the ransom note with their own, and other attackers keep piggybacking on top of each other. At this point, there's no reason to pay because victims don't know who actually has their database.
In the debate on the pros and cons of paying the ransom, the single biggest reason for refusing was to not reward bad behavior, as it essentially encouraged other criminals to get into the game. There was also a very reasonable concern that the money would wind up funding other criminal operations.
Yet, for many organizations faced with the prospect of wiping the systems and restoring everything from backup, the prospect of paying and hoping the criminal was telling the truth about providing the decryption key seemed to be the better choice. Perhaps there was pressure to get everything back right away, or backups didn't exist. There is a reason why even federal law enforcement officials sometimes recommended handing over the cash.
It's counterintuitive to hope a criminal will keep his or her word, but for a while, it seemed like a reasonable course of action when many ransomware gangs were intent on establishing a reputation of being honest. Victims were more likely to pay if they knew others had done the same and gotten everything back.
However, as more cybercriminals adopt ransom-based attacks, the emphasis is more on collecting the ransom and less on ensuring the victims can recover their files. The latest Linux variant of the KillDisk disk-wiping malware, which was used against Ukranian energy utilities in 2015, now has ransomware capabilities, except attackers can't provide the key to decrypt the data after receiving payment. The malware doesn't save the encryption key, either locally or on a remote server, making it impossible for victims to get the data back, even after paying the 222 BTC (approximately $247,000 in current prices) ransom. Nemucod claimed to encrypt files with RSA-1024 encryption when it was using a simple rotating XOR cipher.
Lucky IT administrators who have not yet lost control over their MongoDB databases, act now:
- Block port 27017 or limit the access of the service with bind_ip to accept only local connections.
- Turn on authentication to force anyone trying to access the database to use valid credentials.
- Check to see if any secret admin accounts have been added to the database.
- Look in log files for any unauthorized access attempts.
Don't think the problem is limited to MongoDB, either. It's very possible attackers will move on to other cloud services and databases, so make sure MySQL databases and Amazon Web Services accounts are properly secured. Finding exposed systems or services is a short Shodan search away, and attackers have proven they can -- and will -- demand ransom for anything. The next few weeks will likely see the attacks spread to other platforms.
Bottom line: Don't leave systems or services unprotected. Set up backups immediately. Dump the contents of the database if there's no time to roll out a proper backup strategy. Having a plan in place is better than nothing when the attackers come knocking.
Niall Merrigan, a solutions architect for French consulting giant Capgemini, has been working with researcher Victor Gevers, who initially raised the alarm, to help MongoDB victims recover from the attack, and they have been keeping track of attack groups as well as victims. One detail they've found: Of all the victims they've helped so far, only 10 percent had a recent backup.
IT teams no longer can count on the precedent that paying would give them their data back. The only real choice is to start over and rebuild the compromised systems from scratch. If they hadn't already taken preventive measures, the loss can be catastrophic. If you're one of the lucky ones that has not yet been hit, take those steps now.