In a chilling evolution of digital extortion, threat actors are increasingly abandoning traditional encryption software to wage “malware-less” ransomware attacks, directly targeting and wiping companies’ exposed databases clean. This new breed of attack, detailed in recent research by security firm Wiz, bypasses conventional defense systems because the damage is carried out using the database’s own built-in commands.
Instead of planting malicious code that locks up files, hackers are exploiting an epidemic of misconfigured cloud servers—those left exposed to the Internet with weak, default, or non-existent passwords—to simply delete or steal the data, leaving only a digital ransom note behind. The result is the same as any ransomware attack: paralyzed operations and a demand for payment to recover the lost information.
The New Anatomy of a Digital Hostage-Taking
The technique is alarmingly simple and fast, turning a fundamental database function into a weapon. The operation typically begins with automated bots scanning the entire Internet for open ports—like 3306 for MySQL or 5432 for PostgreSQL—that indicate an exposed database server. If the attackers successfully authenticate, often by guessing weak passwords or finding servers with no password at all, they execute a destructive command, such as DROP DATABASE or bulk DELETE queries. The data is instantly rendered unavailable. Finally, the attacker creates a new entry, often a table or document named something generic like README_TO_RECOVER, which contains the ransom demand and a cryptocurrency wallet address. Because no custom, detectable malicious files are ever dropped onto the server, the activity is difficult to flag using typical host-based security tools, appearing instead as normal administrative activity.
FCRF Launches CCLP Program to Train India’s Next Generation of Cyber Law Practitioners
MongoDB and PostgreSQL Are on the Front Line
The research highlights an important disparity in the databases currently targeted. MongoDB is currently the most dominant target for these extortion attempts, with PostgreSQL representing the second-largest share of environments with incidents. The high risk is not simply due to the database software itself, but a direct correlation between its popularity and its misconfiguration. When developers deploy these databases in cloud environments, they often neglect to enforce strict authentication and network exposure controls. For example, the report found that a majority of exposed database instances, such as those running Redis, had little-to-no authentication, making them easy prey. For attackers, the valuable information stored in databases—from customer financial records to intellectual property—makes the risk-to-reward ratio for these easily exploitable targets overwhelmingly favorable.
Defense Starts with Basic Hygiene
Security experts warn that this threat is primarily a problem of poor security hygiene, and organizations can greatly reduce their risk by implementing several foundational defenses:
1. Network Isolation: Database servers should never be directly accessible from the public Internet. They must reside in private networks behind firewalls that permit connections only from trusted application servers.
2. Strong Authentication: All databases must enforce strong, unique passwords and, where possible, leverage multi-factor authentication (MFA). Password-less access should be strictly disabled.
3. Data Redundancy: Companies must implement a robust and tested backup strategy. Backups for critical data should be performed regularly and, crucially, stored in a separate, isolated location to prevent them from being wiped during the main attack.
4. Continuous Scanning: Organizations must continuously scan their environments not just for malware, but for misconfigurations and tell-tale indicators of compromise (IOCs). Checking for new, unauthorized database tables or documents named with common ransom demands (e.g., RECOVER_YOUR_DATA) can be the earliest sign that an attack has occurred.
