Offensive Security

Bar association affected by ransomware – perpetrators demand ransom!

Bar association affected by ransomware – perpetrators demand ransom!

The Bar Association’s electronic lawyer mailbox (BeA) has apparently fallen victim to a ransomware attack. A misconfigured database now allowed the attackers to demand ransomware, among other things.

Bar association hit by ransomware 2 weeks ago

The news website Golem already reported about 2 weeks ago that the information page of the electronic lawyer mailbox was offline again and again and therefore could not be reached. New information says that this “downtime” of the information page was the result of a cyber attack.

The Bar Association’s website is not directly from the BeA it is simply an informational site for the public. Still, this attack is not to be taken lightly, as a known misconfiguration caused the damage.

The information page was running a MySQL database that was apparently configured to accept all users without requiring a username and password. This misconfiguration ensured that attackers could copy the data and then delete the entire database.

570€ as ransom demand

The database, which was vulnerable due to the misconfiguration, did not contain any data after the attack. The two included tables both contained only one entry by referencing an onion address. This kind of blackmail is no longer a new strategy.

If you open this onion address, you will see the attackers’ claim. To get back the data of the compromised database, 0.06 Bitcoin should be transferred to a specified wallet. At the current time, 0.06 Bitcoin is worth about €570, making it a fairly small amount for a ransomware demand. And it is precisely such a ransom demand that distinguishes a ransomware attack, in this case against the Bar Association. It is not uncommon for data to be downloaded before encryption. If someone doesn’t pay the ransom, the attackers threaten to release the data.

This small claim could be related to the fact that the contents of the database have fallen into the hands of several criminals and could therefore be widely distributed. Since the database was completely unprotected, the assumption is obvious that not only a hacker group stole the data.

To protect yourself and your stored data, make sure that the database you are using is configured correctly. A misconfiguration like the one in the above example would be noticed very quickly during a penetration test. Thus, you could save yourself a costly cyber attack by proactively discovering and closing your security gaps.

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.