Elasticsearch databases get compromised through ransom notes

Elasticsearch Databases Compromised Ransom Notes

Malicious threat groups have targeted more than a hundred Elasticsearch databases and substituted nearly 500 indexes with ransom notes in their recent cybercriminal activities. The ransom demands reached about $280,000, and each request was approximately $600.

According to a researcher, they have observed cybercriminals receiving payments through a Bitcoin wallet address. They also noted that the adversaries only provided a week for the ransom payments to be accomplished.

If a victim fails to give the ransom, they will be forced to pay double the amount the following week. However, if the ransom is not paid for more than two weeks, the victim will lose their indexes.

Those victims who will cooperate with the threat actors’ demands will be guided to a download link, which leads to their database dump. The dump will aid the victim in restoring the data structure to its original form.

Experts claimed that the threat groups had utilised an automated script to dissect the databases, delete their data, and attach a ransom note. In addition, there is no manual engagement in this campaign.


The Elasticsearch database can cause trouble for the threat actors.


The threat actors may face several challenges in storing many Elasticsearch databases. A victim’s decision to pay the ransom will help the threat actors remove other databases from their storage.

The latest report claimed that more than 100k Elasticsearch databases were exposed to the web last year, which resulted in the compromise of 30% of about 400,000 exposed databases. A similar report also revealed that victims have an average of 170 days to know that they created a configuration error that leaves a lot of chances for an attacker to operate illegal activities.

Malicious threat actors will target Elasticsearch databases exposed to the internet with incompetent security configurations. It is imperative that admins publicly disclose no database unless necessary or secured.

Lastly, if a transaction requires remote access, database administrators should set up an MFA feature for authorised users and only allow access to those who need it.

About the author

Leave a Reply