Elasticsearch Ransomware


  1. Use X-Pack if you can,
  2. Do not expose your cluster to the internet,
  3. Do not use default configurations e.g. ports,
  4. Disable http if possible,
  5. If it must be internet facing: run behind a firewall, reverse proxy – Nginx (see example config), VPN etc,
  6. Disable Scripts,
  7. Regular back-up of your data with curator if you are not already.

Well, we all see that coming, didn’t we?  Once MongoDB started being ransom by criminals other No-SQL type technologies are surely on queue to follow. Now Elasticsearch Ransomware, no surprise neither that most Elasticsearch clusters are open to the internet.  Goes without saying even secure ones are mostly behind week/guessable passwords, default ports with unneeded http enabled.

The attackers are currently empting out clusters with a note left behind for payment:

 “Send 0.2 BTC (bitcoin)to this wallet xxxxxxxxxxxxxx234235xxxxxx343xxxx  if you want recover your database! Send to this email your service IP after sending the bitcoins xxxxxxx@xxxxxxx.org”

Rest assured if your are using elastic cloud you will be protected by their default shield/x-Pack protection.  To protect your self hosted cluster, the team at Elastic have posted a guide here.  Such a guide really should not be news to any Elasticsearch admin! If it is then action is nigh!

There is also a detailed step by step guide on all things securing your Elasticsearch cluster: “Don’t be ransacked: Securing your Elasticsearch cluster properly” by Itamar Syn-Hershko

So far its been mostly Amazon exposed services.  But the same Elasticsearch Ransomware techniques against an unsecure (wrongly configured) Elasticsearch instance can be applied to any other hosted/self Elasticsearch service.

Leave a Reply