Threat Research

Defending against database ransomware attacks

WizBlog

Attackers increasingly conduct “malware-less” database ransomware by exploiting exposed or misconfigured Internet-facing databases, using legitimate database commands to steal, delete, or lock data and leave ransom notes without deploying malicious binaries. These campaigns target services like MongoDB, PostgreSQL, MySQL, Redis, and Elasticsearch and often automate scanning, credential testing, data exfiltration, and destructive commands; defenders should restrict exposure, enforce strong authentication/MFA, and maintain isolated backups. #MongoDB #PostgreSQL

Keypoints

  • Attackers perform “malware-less” ransomware by using normal database commands (e.g., DROP DATABASE, bulk DELETE) after authenticating to exposed database servers.
  • Campaigns scan the Internet for open database ports (3306, 5432, etc.), fingerprint services, test default or weak credentials, and brute-force passwords to gain access.
  • Common targets include MongoDB (most frequent), PostgreSQL (second), MySQL/Aurora/MariaDB, Redis, CouchDB, Hadoop, and Elasticsearch.
  • Post-compromise actions include copying/exfiltrating data, deleting or wiping databases, creating ransom-note tables/collections (e.g., README_TO_RECOVER), and demanding cryptocurrency payments.
  • Operators increasingly use double extortion (threaten or publish stolen data) and may escalate to RCE and lateral movement from compromised database hosts.
  • Risk correlates with popularity and exposure; Redis shows low exposure but high misconfiguration rates and is often abused for host compromise/cryptojacking.
  • Defenses include restricting databases to private networks, using jump hosts with MFA for remote access, enforcing strong credentials, automated backups stored separately, and continuous attack-surface and IOC scanning.

MITRE Techniques

  • [T1078] Valid Accounts – Attackers authenticate to exposed databases using default credentials, weak passwords, or brute-forced credentials: “…test for missing authentication, try default username:password combinations, and attempt to bruteforce weak passwords.”
  • [T1046] Network Service Scanning – Actors scan Internet-wide for exposed database ports and fingerprint services: “…Internet-wide scan for exposed database ports such as 3306 (MySQL) and 5432 (PostgreSQL). They then use fingerprinting techniques to confirm…”
  • [T1531] Account Discovery – Threat actors enumerate and confirm authentication status and accessible data after connecting to the database: “…fingerprinting techniques to confirm that the targets are indeed database services, test for missing authentication…If they successfully authenticate…the attacker extracts a small data sample…”
  • [T1486] Data Encrypted for Impact (adapted) – Instead of encrypting files, attackers render data unavailable using native DB commands like DROP or bulk DELETE: “…attackers use the database’s own built-in functionality (queries and commands) to render the data unavailable…issuing destructive SQL commands such as `DROP DATABASE` or bulk `DELETE`.”
  • [T1560] Archive Collected Data / Exfiltration – Attackers copy or dump database contents and may upload dumps to dark web sites or other locations as extortion leverage: “…uploaded the victims’ database dumps to a dark web ‘auction’ site and let victims see their data for sale…”
  • [T1490] Inhibit System Recovery – Attackers leave ransom notes and remove or corrupt data while preventing recovery if backups are not isolated or tested: “…copy the data to another location, wipe the database, and then leave behind a ransom note stored in the database itself…Store backups in a separate, access-controlled location.”
  • [T1210] Exploitation of Remote Services (misconfiguration) – Abuse of exposed services and misconfigurations (no authentication/open network access) to gain access without exploiting software vulnerabilities: “…often relies on exploiting security misconfigurations (like default credentials or open network access) rather than software vulnerabilities…”

Indicators of Compromise

  • [Database Table/Collection Names] ransom-note artifacts – Examples: README_TO_RECOVER, RECOVER_YOUR_DATA (ransom note inserted as table row or collection document).
  • [Ports] exposed service ports used for discovery – Examples: 3306 (MySQL), 5432 (PostgreSQL).
  • [Database Types] targeted services observed – Examples: MongoDB (frequent target), PostgreSQL (second-largest share).
  • [Misconfiguration Flags] authentication issues – Examples: default credentials, passwordless access, and weak credentials (e.g., Redis instances with no auth and 72% misconfiguration rate).
  • [Exfiltration Artifacts] public postings or uploads – Example context: database dumps uploaded to dark web auction sites (victim data shown for sale).

Read more: https://www.wiz.io/blog/database-ransomware-research