Bar association affected by ransomware – perpetrators demand ransom!

M.Sc. Jan Hörnemann (CeHv10, ISB according to ISO 27001 (TÜV)

Bar association affected by ransomware – perpetrators demand ransom!

The Bar Association’s electronic lawyer mailbox (BeA) has apparently fallen victim to a ransomware attack. A misconfigured database now allowed the attackers to demand ransomware, among other things.

Bar association hit by ransomware 2 weeks ago

The news website Golem already reported about 2 weeks ago that the information page of the electronic lawyer mailbox was offline again and again and therefore could not be reached. New information says that this “downtime” of the information page was the result of a cyber attack.

The Bar Association’s website is not directly from the BeA it is simply an informational site for the public. Still, this attack is not to be taken lightly, as a known misconfiguration caused the damage.

The information page was running a MySQL database that was apparently configured to accept all users without requiring a username and password. This misconfiguration ensured that attackers could copy the data and then delete the entire database.

570€ as ransom demand

The database, which was vulnerable due to the misconfiguration, did not contain any data after the attack. The two included tables both contained only one entry by referencing an onion address. This kind of blackmail is no longer a new strategy.

If you open this onion address, you will see the attackers’ claim. To get back the data of the compromised database, 0.06 Bitcoin should be transferred to a specified wallet. At the current time, 0.06 Bitcoin is worth about €570, making it a fairly small amount for a ransomware demand. And it is precisely such a ransom demand that distinguishes a ransomware attack, in this case against the Bar Association. It is not uncommon for data to be downloaded before encryption. If someone doesn’t pay the ransom, the attackers threaten to release the data.

This small claim could be related to the fact that the contents of the database have fallen into the hands of several criminals and could therefore be widely distributed. Since the database was completely unprotected, the assumption is obvious that not only a hacker group stole the data.

To protect yourself and your stored data, make sure that the database you are using is configured correctly. A misconfiguration like the one in the above example would be noticed very quickly during a penetration test. Thus, you could save yourself a costly cyber attack by proactively discovering and closing your security gaps.

Photo of author

M.Sc. Jan Hörnemann (CeHv10, ISB according to ISO 27001 (TÜV)

Hello dear reader, My name is Jan Hörnemann. Since the beginning of my studies in October 2016, I have been dealing with IT security on a daily basis. Through the Master of Science degree in Internet Security, I have learned many different aspects of IT security and try to convey them in live hacking shows as well as in our blog.