2020 / Data theft / Ransomware / Security hole

Bar association affected by ransomware – perpetrators demand ransom!

Bar association affected by ransomware – perpetrators demand ransom!

The Bar Association’s electronic lawyer mailbox (BeA) has apparently fallen victim to a ransomware attack. A misconfigured database now allowed the attackers to demand ransomware, among other things.

Bar association hit by ransomware 2 weeks ago

The news website Golem already reported about 2 weeks ago that the information page of the electronic lawyer mailbox was offline again and again and therefore could not be reached. New information says that this “downtime” of the information page was the result of a cyber attack.

The Bar Association’s website is not directly from the BeA it is simply an informational site for the public. Still, this attack is not to be taken lightly, as a known misconfiguration caused the damage.

The information page was running a MySQL database that was apparently configured to accept all users without requiring a username and password. This misconfiguration ensured that attackers could copy the data and then delete the entire database.

570€ as ransom demand

The database, which was vulnerable due to the misconfiguration, did not contain any data after the attack. The two included tables both contained only one entry by referencing an onion address. This kind of blackmail is no longer a new strategy.

If you open this onion address, you will see the attackers’ claim. To get back the data of the compromised database, 0.06 Bitcoin should be transferred to a specified wallet. At the current time, 0.06 Bitcoin is worth about €570, making it a fairly small amount for a ransomware demand. And it is precisely such a ransom demand that distinguishes a ransomware attack, in this case against the Bar Association. It is not uncommon for data to be downloaded before encryption. If someone doesn’t pay the ransom, the attackers threaten to release the data.

This small claim could be related to the fact that the contents of the database have fallen into the hands of several criminals and could therefore be widely distributed. Since the database was completely unprotected, the assumption is obvious that not only a hacker group stole the data.

To protect yourself and your stored data, make sure that the database you are using is configured correctly. A misconfiguration like the one in the above example would be noticed very quickly during a penetration test. Thus, you could save yourself a costly cyber attack by proactively discovering and closing your security gaps.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.