Connect with us

Hi, what are you looking for?


Network Security

Over 18,000 Redis Instances Targeted in FairWare Attacks

Redis servers that are exposed to the Internet are prone to attacks similar to the newly discovered FairWare ransomware, researchers reveal.

Redis servers that are exposed to the Internet are prone to attacks similar to the newly discovered FairWare ransomware, researchers reveal.

Detailed only a few days ago, this so-called ransomware is targeting Linux servers and deletes the web folder from them, claiming to also upload the content to an attacker-controlled server. The attackers demand a 2 Bitcoin ransom and claim to not only have the victim’s files, but also to be willing to give them back. As it turns out, this might not be the case at all.

Redis is a BSD licensed, open source in-memory data structure store, used as a database, a caching layer or a message broker.

BleepingComputer’s initial report on this attack already questioned the possible existence of the deleted web folder on the attacker’s server, and information coming from Duo Security confirms that the erased files are gone for good.

Moreover, the security firm reveals that there are over 18,000 Redis servers exposed to the Internet, which are potential targets to this type of attack.

While highly useful when it comes to storing and retrieving data quickly and easily, Redis comes with a permissive security configuration that spells disaster when the server is exposed to the Internet. According to Duo Security, there are more than 18,000 Redis instances (on Internet of Things devices) exposed to the Internet, and many are running outdated versions of the software.

When Redis is exposed to the Internet, an attacker can view and modify stored data, while also being able to remotely configure the Redis instance to compromise entire devices. In fact, the security company has already detected automated attacks scanning the Internet in an attempt “to compromise devices running Redis with fake ransomware.”

Advertisement. Scroll to continue reading.

While all 18,000 Redis instances exposed to the Internet are at risk, evidence of the attack was found on only 13,000 (or 72%) of devices, showing that these hosts could be compromised. The attack, researchers have discovered, includes modifying the Redis configuration, deleting the Web folder, and dropping a ransom note. Except there is no actual ransomware involved.

By setting up a honeypot, Duo researchers were able to observe a live incident: the attacker deletes all keys stored in Redis > puts the attacker’s public key into the database under the name “crackit” > sets the on-disk copy of the database to the root user’s .ssh directory > renames the database to authorized_keys, so that the ssh server will search the database when the attacker connects.

Thus, the attacker accesses the server as the root user, and, after logging into the compromised system, the attacker attempts to delete “significant amounts of data on the host.” After that, a note pointing to a URL is dropped, linking to a ransom note, which informs the victim that the deleted files were encrypted and uploaded to the attacker’s server, that users should pay a 2 Bitcoin ransom to retrieve them, and that they should contact m1nt[at] for payment instructions.

“The note suggests that files have been encrypted and sent to a remote server, but we saw no indications of this happening. This attack looks to rely on fear to try and get people to pay for files that no longer exist,” Duo researchers say.

The researchers operated the honeypot for one month and observed attacks coming from 15 different IP addresses. One of these matches the address observed in the FairWare ransomware incident, confirming that it was the same type of attack. However, it appears that multiple actors might be employing the same technique (or the same attacker, but using different names).


Related: Unfinished Hitler-Ransomware Variant Deletes User Files

Related: CTB-Locker Ransomware Impersonator Uses WinRAR for Encryption

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...