Cybercriminals are becoming more and more insolent as they are now attacking unprotected Redis servers, adding a rogue SSH key on infected systems, but delete all the users` data. However, to trick the victim into thinking their data has been encrypted, they leave a ransom note with instructions for payment.
The security company Duo Security set up a honeypot server, thanks to which the real intentions of the crooks were exposed. In the ransom note, the victims are asked to pay $1,100 (2 Bitcoins) for recovering lost data, but even if they do, it won`t make any difference.
This whole problem originates from the huge number of Redis servers with important data, which owners leave exposed online. According to Duo security experts, there are more than 18,000 Redis databases online, which are not protected in any way, not even a password authentication.
Moreover, there has been found an evidence that about 72% (13,000) of these servers had been attacked. The SSH key, named “crackit”, that crooks have left after hacking the server, was the important clue, which helped researcher come up with these stats.
The crackit, found on all 13,000 Redis servers, also had a Jabber ID attached to it: ryan@exploit.im.
At the beginning of July, the same SSH key and the Jabber ID were found by Risk Based Security on 6,338 servers. In that case, however, there was no evidence of the attackers deleting files and trying to deceive the victims to pay the ransom anyway.
It seems like phony pieces of ransomware are becoming more popular among crooks and they are including them in their operation modes.
Duo Security reports that the authors of the fake ransomware deleted data from the /var/www/, /usr/share/nginx/, /var/lib/mysql/, and /data/ folders, from every server they managed to breach. The honeypot data, the crooks didn’t try to encrypt, save or back up the victims` files in any way.
After the data deleting process is complete, the crooks rewrite the server’s MOTD and add a file to the server’s root folder, named “READ_TO_DECRYPT”. In this file, there is a URL which contains a ransom note.
The impostors managed to gain $1,450 (2, 5995 Bitcoins) after three payments were registered to the Bitcoin address shown in the ransom note.
Now, when the hackers` real intentions are exposed, no user should pay the ransom demanded if they happen to find the crackit SSH key on their servers. Instead, creating regular backups on their servers and using off-sites data stores would be much more helpful if they need to recover attacked files.
