Aggregator

You must login to view this content

You must login to view this content

You must login to view this content

You must login to view this content

You must login to view this content

Session 10B: Ransomware

Authors, Creators & Presenters: Kevin van Liebergen (IMDEA Software Institute), Gibran Gomez (IMDEA Software Institute), Srdjan Matic (IMDEA Software Institute), Juan Caballero (IMDEA Software Institute)

PAPER
all your (data)base are belong to us: Characterizing Database Ransom(ware) Attacks

We present the first systematic study of database ransom(ware) attacks, a class of attacks where attackers scan for database servers, log in by leveraging the lack of authentication or weak credentials, drop the database contents, and demand a ransom to return the deleted data. We examine 23,736 ransom notes collected from 60,427 compromised database servers over three years, and set up database honeypots to obtain a first-hand view of current attacks. Database ransom(ware) attacks are prevalent with 6K newly infected servers in March 2024, a 60% increase over a year earlier. Our honeypots get infected in 14 hours since they are connected to the Internet. Weak authentication issues are two orders of magnitude more frequent on Elasticsearch servers compared to MySQL servers due to slow adoption of the latest Elasticsearch versions. To analyze who is behind database ransom(ware) attacks we implement a clustering approach that first identifies campaigns using the similarity of the ransom notes text. Then, it determines which campaigns are run by the same group by leveraging indicator reuse and information from the Bitcoin blockchain. For each group, it computes properties such as the number of compromised servers, the lifetime, the revenue, and the indicators used. Our approach identifies that the 60,427 database servers are victims of 91 campaigns run by 32 groups. It uncovers a dominant group responsible for 76% of the infected servers and 90% of the financial impact. We find links between the dominant group, a nation-state, and a previous attack on Git repositories.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – all your (data)base are belong to us: Characterizing Database Ransom(ware) Attacks appeared first on Security Boulevard.

Authentication determines who gets in and who stays out. Getting this right means fewer breaches, less downtime, and stronger trust with customers.

The post Top Authentication Methods for Preventing Data Breaches appeared first on Security Boulevard.

A threat actor is seeding the internet with AI browser extensions that can intercept a user’s authenticated session tokens and hijack accounts.

The post Some ChatGPT browser extensions are stealing your data appeared first on CyberScoop.

In today’s digital world, online privacy and security have never been more important. With cybercrime on the rise and government surveillance becoming more common, protecting your personal information online is crucial. Whether you’re browsing on public Wi-Fi, shopping online, or just scrolling through social media, using a Virtual Private Network (VPN) is one of the […]

The post Best VPN Services of 2026: Fast, Secure & Affordable appeared first on Cyber Security News.

What Is CVE-2026-21962? CVE-2026-21962 is a critical (CVSS 10.0) vulnerability in the Oracle HTTP Server and the WebLogic Server Proxy Plug-in for Apache HTTP Server and Microsoft IIS. An unauthenticated attacker with HTTP access can exploit this flaw by sending crafted requests to the affected proxy components and bypass security controls. Successful exploitation can result […]

The post Imperva Customers Protected Against CVE-2026-21962 in Oracle HTTP and WebLogic appeared first on Blog.

The post Imperva Customers Protected Against CVE-2026-21962 in Oracle HTTP and WebLogic appeared first on Security Boulevard.

Enables MSPs to enhance their security offerings with a simple, scalable microsegmentation solution. … Read More

The post 12Port Introduces Zero Trust Privileged Access Management (PAM) for Managed Service Providers appeared first on 12Port.

The post 12Port Introduces Zero Trust Privileged Access Management (PAM) for Managed Service Providers appeared first on Security Boulevard.

It’s no surprise that the most popular managed service is security. Cybersecurity threats are a daily occurrence and continue to get more sophisticated, with identity-based attacks now the primary vector. For example, 2023 saw a 72% increase in data breaches … Read More

The post Why MSPs Should Add Privileged Access Management (PAM) To Their Security Offerings appeared first on 12Port.

The post Why MSPs Should Add Privileged Access Management (PAM) To Their Security Offerings appeared first on Security Boulevard.