While ransom attacks against MongoDB databases have seemingly slowed down recently, these attacks now appear to be targeting around 4,000 exposed CouchDB databases and 8,000-10,000 Hadoop Distributed File System (HDFS) installations. The main difference appears to be that attackers are no longer just holding data to ransom, but are simply erasing it in attempts to do harm.
Attackers have reportedly targeted over 34,000 MongoDB databases starting December 2016 and another 35,000 Elasticsearch databases to date, it was reported last week. Security researchers Victor Gevers and Niall Merrigan have been tracking the attacks, which they have called a “ransack,” for weeks now.
Attackers have been stealing or erasing data, leaving behind a ransom note demanding Bitcoin payments from the affected database owners. In later attacks, attackers were said to be destroying the data permanently, even if victims have already paid the ransom amount.