Fighting Ransomware

Transcript

1. FIGHTING DATABASE RANSOMWARE Philipp Krenn̴̴̴@xeraa

2. None

3. DATABASE RANSOMWARE

4. MySQL MongoDB Elasticsearch Cassandra Hadoop

5. None
6. None

7. $ curl -XGET 'http://167.114.250.128:9200/_cat/indices' yellow open e82216d4a5fe1dad01c7f2c4bff36321_shared 5 1 236065

   0 83.7mb 83.7mb yellow open please_read 5 1 1 0 4.2kb 4.2kb yellow open 4daea2c29f467e879d3a4ef359c0571d_shared 5 1 344 3 938.5kb 938.5kb

8. $ curl -XGET 'http://167.114.250.128:9200/please_read/_search?q=*&pretty' { "took" : 11, "timed_out" :

   false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 1.0, "hits" : [ { "_index" : "please_read", "_type" : "info", "_id" : "AVm3WEKovyrlfSDHByR2", "_score" : 1.0, "_source":{ "Info": "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip", "Bitcoin Address": "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx", "Email" : "[email protected]" } } ] } }

9. $ curl -XGET 'http://167.114.250.128:9200/please_read/_search?q=*&pretty' { "took" : 11, "timed_out" :

   false, "_shards" : { "total" : 5, "successful" : 5, "failed" : 0 }, "hits" : { "total" : 1, "max_score" : 1.0, "hits" : [ { "_index" : "please_read", "_type" : "info", "_id" : "AVm3WEKovyrlfSDHByR2", "_score" : 1.0, "_source":{ "Info": "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip", "Bitcoin Address": "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx", "Email" : "[email protected]" } } ] } }

10. Will you get your data back?

11. DON'T GET RANSOMED

12. Bound to non-localhost interface?

13. NETWORK Private network

14. NETWORK Firewall

15. NETWORK Random port

16. AUTHENTICATION & AUTHORIZATION Proxy

17. AUTHENTICATION & AUTHORIZATION Security

18. RESTORE

19. OUTSOURCE OPERATIONS https://cloud.elastic.co

20. THANKS! AMA & swag