Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says.
So far more than 360 instances have had data copied and erased, held to ransom using the same techniques that blitzed tens of thousands of MongoDB servers this week.
Affected ElasticSearch administrators are greeted in one actor’s attacks with a message reading:
“Send 0.2 bitcoins to this wallet: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r if you want recover (sic) your database! Send to this email your service IP after sending the bitcoins firstname.lastname@example.org (sic).”