Tuesday September 01, 2020 |Notes

Database breach with bitcoin ransom demand

In the shadows of digital commerce, digital crime has grown at a steady pace, including with the recent surge in digital commerce. As data becomes increasingly vital to businesses, it's also become a larger target. This morning, one of our own projects was subject to a database breach with a bitcoin ransom demand and the options are bleak, even for a not-yet-live project.

A report published in May by Ecommerce Times found digital fraud grew at over 120 percent in the first few months of the year. In this case, fraud consisted of "scams, spams, and fake reviews":

Coronavirus has affected virtually every business, and cybercrime is no different as it is a business -- a big one, according to Brendan O'Connor, CEO and co-founder of AppOmni. "It is estimated that global cybercrime revenues exceed US$1 trillion annually. In challenging times like these, businesses must adapt," O'Connor told the E-Commerce Times. Cybercriminals are capable of adapting quickly, and that is what they have done with coronavirus, he added. With people around the world staying home and maintaining social distance, there has been a huge increase in both remote work and e-commerce.

In our case, the database was targeted in a similar manner to past attacks on databases using MySQL, MongoDB and others. All tables were dropped leaving no data behind besides one new table titled WARNING that included the message below, along with a token key.

To recover your lost databases and avoid leaking it: visit http://hn4wg4o6s5nc7763.onion and enter your unique token c1b2e9dd0914894e and pay the required amount of Bitcoin to get it back. Databases that we have: [NAMES OF DATABASES]. Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise. To access this site you have use the tor browser

After a review of the access and server logs, no other traces were found and it appears all actions takes were deleted from the history.

The Tor link delivered me to a input box where the token could be entered to check if a backup was available. Initially my token search yielded no results, and a message suggested trying back later. After a few hours, it was updated with results, showing the name and size of each database, along with the IP address of the server. This sounds quite similar to database attacks earlier this year, including the ransom demand for 0.06 Bitcoin, specifically

It remains unclear who the thieves are, but apparently they targeted unsecured or ill-secured servers that can be found on the public web. They copied the stores’ SQL databases and now demand a ransom of 0.06 bitcoin (some US$537 at today’s rate) within 10 days on pain of publishing or using the data as they see fit.

The attackers also offer unspecified proof, which one might assume is a sample of the data. Some of the shops may have taken them up on their word, since the hackers’ BTC wallets have recently recorded transactions amounting to 5.8 bitcoin (approximately US$52,000).

Speaking of which, paying the ransom to a cybercriminal may prove to be a leap of faith, since you have no way of knowing if they won’t sell your data onwards even if they return it. Ransomware victims may face a similar conundrum, as discussed in this article.

In our case, the data isn't personal or sensitive information of any kind. It's all public information and is largely worthless to anyone else. For our project, there's enormous value because it's both non-recoverable historical data, and it's cleaned and structured in such a way that it would be extremely time-consuming to replicated.

Retrieving a stolen database back via a bitcoin ransom payment takes a leap of faith. There's no telling if the database will actually be available, and if it were sensitive information, even less assuredness that it wouldn't be redistributed. If data requires meticulous work to collect, organize and serve, put the commensurate effort into protecting and backing up the data. Scams certainly will rise when there is opportunity, including in the digital realm.