Protection racket de luxe
One thing is all too clear to cybercriminals: there is money to be made.
So far nothing new...but unfortunately I see all too often a reaction that could very well be called "shock rigidity" - or better "shock comfort", if that word existed.
By this, I mean that people talk themselves out of it by saying that this was "only a problem for private users" or that it had already been "the worst case scenario", the greatest accident that could be assumed.
But worse is always possible!
Before I go into the concrete background, I would like to invite you to a thought experiment: Imagine you are the CEO of a medium-sized company.
The service you offer is literally being snatched out of your hands by private customers, and the company is growing and thriving.
You want to expand your customer base or penetrate the existing customer base with even more products and services.
Both mean more sales, growth, and at the end of the day, your salary.
But it is precisely here that the question must be allowed as to why cybercriminals are denied this business sense. Why do people assume that the worst is behind us? Why shouldn't cybercriminals want to open up new "customer groups" or make us happy with "products"?
Here I would like to show you two current approaches that cybercriminals will "delight" us with this year.
- On the one hand, the expansion of a well-known scam - crypto-ransomware - to other customer groups.
- On the other hand, a "product" specifically for new customer groups - with higher upfront investment, but also significantly higher profit.
The original business model of crypto-ransomware is simple: data on the (private) PC is encrypted and thus becomes hostages that can be ransomed by paying a certain amount.
The value of the hostages for the blackmailed person usually increases with the amount of data. And this is exactly the starting point for an expanded business model!
Where can you find a lot of important data for which the owner is willing to pay as much ransom as possible? You might have guessed it already: in company databases.
That's exactly why cybercriminals went looking for it, and they found it in MongoDB, a widely used NoSQL database.
To simplify development, it does not use any authentication in the default installation.
If such a database is now put into regular operation and may even be accessible from the Internet, disaster is inevitable: Attackers encrypt the data in the database and leave a note in the database stating that the data can be decrypted again against payment of Bitcoins.
In 2016, up to 27,000 databases per day were taken hostage.
Once the business model has proven itself, they look for variations.
Currently, the "hijacking" or encryption of ElasticSearch servers. Behind the term ElasticSearch is a variety of search engines on websites and other services.
One could now discuss for a long time why productive databases are hanging on the Internet without backup at all.
The fact is that new services are always being made available on the Internet. Putting them online and relying on the fact that no one will find them is illusory.
Here we recommend a visit to shodan.io, a search engine for "things" (servers, devices, services) on the Internet.
To put it casually: If you connect a service online, it will be found.
If the service is not configured securely (and databases without a password are a very prominent example here) or has other security vulnerabilities, it must be assumed that it will be compromised.
Especially if there is money to be made from it.
In summary, the outlook for the future is (unfortunately):
"You can always do worse."
Therefore, initiate target-oriented safety measures, also with a view to the future.
Of course, this should not degenerate into panic and actionism - but the other extreme, rigidity in shock, does not help either.