MongoDB & ElasticSearch Ransomware victims

1. MongoDB & ElasticSearch Ransomware victims
2.  
3. A typically ransom note below is what victims see in their Mongo Indexes or Elasticsearch clusters when their NoSQL server has been targetted by ransomware.
4.  
5. “SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS p1l4t0s@sigaint.org”
6.  
7.  
8. Shodan.io search: country:"SG" product:"MongoDB" PLEASE_READ_ME country:"SG"
9. https://www.shodan.io/search?query=country%3A%22SG%22+product%3A%22MongoDB%22+PLEASE_READ_ME+country%3A%22SG%22
10.  
11. Install Mongo using Brew
12. $ brew update
13. $ brew install mongodb
14. $ mongo --host [hostname or IP]
15. > show dbs
16. > use PLEASE_READ_ME
17. > show collections
18. > db.PLEASE_READ_ME.find().pretty()
19.  
20.  
21. $ mongo --host 119.81.55.37
22. MongoDB shell version v3.4.2
23. connecting to: mongodb://119.81.55.37:27017/
24. MongoDB server version: 2.2.2
25. WARNING: shell and server versions do not match
26. Welcome to the MongoDB shell.
27. For interactive help, type "help".
28. For more comprehensive documentation, see
29. http://docs.mongodb.org/
30. Questions? Try the support group
31. http://groups.google.com/group/mongodb-user
32. > show dbs
33. AppiyoFS (empty)
34. MeOnCloud-Auth (empty)
35. PLEASE_READ_ME 0.203GB
36. ProcessStore 0.203GB
37. WARNING (empty)
38. admin (empty)
39. > use PLEASE_READ_ME
40. switched to db PLEASE_READ_ME
41. > show collections
42. PLEASE_READ_ME
43. system.indexes
44. > db.PLEASE_READ_ME.find().pretty()
45. {
46. "Bitcoin Address" : "1PemEbnMSoiaXsEW5nRUpSMRB6RZw9MG8D",
47. "_id" : ObjectId("589d14d5b7dc320876e17e30"),
48. "amount" : "0.2 BTC",
49. "data_we_have" : {
50. "MeOnCloud-Auth" : [ ],
51. "DB_H4CK3D" : [
52. "system.indexes",
53. "URG3NT_W4RN1NG"
54. ],
55. "ProcessStore" : [
56. "system.indexes",
57. "registry.notification.retry"
58. ]
59. },
60. "email" : "kraken8888@sigaint.org",
61. "info" : "Don't panic. Your DB is in safety and backed up (check logs). To restore send 0.05 BTC and email with your server ip or domain name. Each 48 hours we erase all data."
62. }
63. > quit()
64.  
65.  
66. =================================================================================================
67. Shodan.io search: country:"SG" product:"Elastic" please_read
68.  
69.  
70. $ curl -s 188.166.209.11:9200/_aliases?pretty=1 | awk -F\" '!/aliases/ && $2 != "" {print $2}'
71. feedback_responses_production
72. please_read
73. members_production_20170123065033031
74. members_production
75. leads_production
76. faqs_production_20170123065045536
77. faqs_production
78.  
79.  
80. $ curl -s 188.166.209.11:9200/please_read/_search?pretty=1
81. {
82. "took" : 21,
83. "timed_out" : false,
84. "_shards" : {
85. "total" : 5,
86. "successful" : 5,
87. "failed" : 0
88. },
89. "hits" : {
90. "total" : 1,
91. "max_score" : 1.0,
92. "hits" : [ {
93. "_index" : "please_read",
94. "_type" : "info",
95. "_id" : "AVm3WtOf4VozCfIW-RNC",
96. "_score" : 1.0,
97. "_source":{
98. "Info": "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip",
99. "Bitcoin Address": "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx",
100. "Email" : "elasticsearch@mail2tor.com"
101. }
102. } ]
103. }
104. }