Redis servers that are exposed to the Internet are prone to attacks similar to the newly discovered FairWare ransomware, researchers reveal.
Detailed only a few days ago, this so-called ransomware is targeting Linux servers and deletes the web folder from them, claiming to also upload the content to an attacker-controlled server. The attackers demand a 2 Bitcoin ransom and claim to not only have the victim’s files, but also to be willing to give them back. As it turns out, this might not be the case at all.
Redis is a BSD licensed, open source in-memory data structure store, used as a database, a caching layer or a message broker.
BleepingComputer’s initial report on this attack already questioned the possible existence of the deleted web folder on the attacker’s server, and information coming from Duo Security confirms that the erased files are gone for good.
Moreover, the security firm reveals that there are over 18,000 Redis servers exposed to the Internet, which are potential targets to this type of attack.
While highly useful when it comes to storing and retrieving data quickly and easily, Redis comes with a permissive security configuration that spells disaster when the server is exposed to the Internet. According to Duo Security, there are more than 18,000 Redis instances (on Internet of Things devices) exposed to the Internet, and many are running outdated versions of the software.
When Redis is exposed to the Internet, an attacker can view and modify stored data, while also being able to remotely configure the Redis instance to compromise entire devices. In fact, the security company has already detected automated attacks scanning the Internet in an attempt “to compromise devices running Redis with fake ransomware.”
While all 18,000 Redis instances exposed to the Internet are at risk, evidence of the attack was found on only 13,000 (or 72%) of devices, showing that these hosts could be compromised. The attack, researchers have discovered, includes modifying the Redis configuration, deleting the Web folder, and dropping a ransom note. Except there is no actual ransomware involved.
By setting up a honeypot, Duo researchers were able to observe a live incident: the attacker deletes all keys stored in Redis > puts the attacker’s public key into the database under the name “crackit” > sets the on-disk copy of the database to the root user’s .ssh directory > renames the database to authorized_keys, so that the ssh server will search the database when the attacker connects.
Thus, the attacker accesses the server as the root user, and, after logging into the compromised system, the attacker attempts to delete “significant amounts of data on the host.” After that, a note pointing to a URL is dropped, linking to a ransom note, which informs the victim that the deleted files were encrypted and uploaded to the attacker’s server, that users should pay a 2 Bitcoin ransom to retrieve them, and that they should contact m1nt[at]sigaint.org for payment instructions.
“The note suggests that files have been encrypted and sent to a remote server, but we saw no indications of this happening. This attack looks to rely on fear to try and get people to pay for files that no longer exist,” Duo researchers say.
The researchers operated the honeypot for one month and observed attacks coming from 15 different IP addresses. One of these matches the address observed in the FairWare ransomware incident, confirming that it was the same type of attack. However, it appears that multiple actors might be employing the same technique (or the same attacker, but using different names).
Related: Unfinished Hitler-Ransomware Variant Deletes User Files
Related: CTB-Locker Ransomware Impersonator Uses WinRAR for Encryption