The owners of Elasticsearch clusters began reporting on January 12, 2017 that their databases had been wiped and their indexes had been replaced by a single index demanding payment to a specified wallet in order for the user to recover the database. Elasticsearch is a distributed, RESTful search and analytics engine.
Any publicly accessible Elasticsearch cluster
Indicators of Compromise
The disclosed compromise can be identified by a modified index containing a ransom note requesting payment to recover the database.
Remove public access to the Elasticsearch cluster. If a cluster must be accessible over the Internet, restrict access via a firewall, VPN, or other technology should be implemented.
We assess that the risk posed by this vulnerability is high if the Elasticsearch cluster is publicly accessible.
Additional information can be found at: