Menu
FairWare ransomware infects servers through exposed Redis instances

FairWare ransomware infects servers through exposed Redis instances

Attackers exploit Redis configurations to add an unauthorized SSH key for the root account

Days after reports that a new ransomware attack was deleting files from web servers, security researchers determined that some of the affected servers were hacked through insecure deployments of the Redis database.

Over the past week, reports popped up on support forums about web servers being wiped clean and hosting a ransom note through which attackers offered to return the deleted files in exchange for two bitcoins (around US$1,150). Experts from tech support forum BleepingComputer.com dubbed the new threat FairWare.

On Wednesday, researchers from security firm Duo Security reported a similar attack against servers that hosted publicly accessible Redis databases.

Attackers took advantage of insecure-by-default Redis configurations to replace the server's root SSH key and take it over. They then used the newly gained access to delete several directories, including the root web directory where websites are stored, and left behind a ransom note.

Redis is an open source in-memory data structure store that can be used as a database, cache, and message broker. Its developers warn that "Redis is designed to be accessed by trusted clients inside trusted environments" and that "usually it is not a good idea to expose the Redis instance directly to the internet."

This warning hasn't stopped web server administrators from exposing some 18,000 Redis installations directly to the Internet, therefore putting web servers at risk. Thirteen thousand of those Redis installations show signs of being affected by this new pseudo-ransomware attack, according to the Duo Security researchers.

More precisely, Duo's scans revealed that around 13,000 Redis databases had a record called "crackit" that contained a public SSH key as the associated value. By modifying the Redis configuration, attackers tricked the software to replace the SSH authentication key for the root account on the server.

Even though the attackers claim in the ransom note that the files have been encrypted, this is most likely not true. The Duo Security researchers set up a honeypot server with an insecure Redis deployment and waited for it to be hacked.

They then monitored what commands attackers executed on the server after connecting with the rogue SSH key. All of the observed commands were to delete various directories and to generate the ransom note.

"The note suggests that files have been encrypted and sent to a remote server, but we saw no indications of this happening," the researchers said in a blog post. "This attack looks to rely on fear to try and get people to pay for files that no longer exist."

The ransom note observed by the Duo researchers was different than the one accompanying the initial FairWare reports. However, BleepingComputer.com founder Lawrence Abrams was able to confirm that Redis was installed on the severs of several FairWare victims and that the same "crackit" key with the same email address was present in the data stores.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments