FairWare ransomware infects servers through exposed Redis instances

Attackers exploit Redis configurations to add an unauthorized SSH key for the root account

Days after reports that a new ransomware attack was deleting files from web servers, security researchers determined that some of the affected servers were hacked through insecure deployments of the Redis database.

Over the past week, reports popped up on support forums about web servers being wiped clean and hosting a ransom note through which attackers offered to return the deleted files in exchange for two bitcoins (around US$1,150). Experts from tech support forum BleepingComputer.com dubbed the new threat FairWare.

On Wednesday, researchers from security firm Duo Security reported a similar attack against servers that hosted publicly accessible Redis databases.

Attackers took advantage of insecure-by-default Redis configurations to replace the server's root SSH key and take it over. They then used the newly gained access to delete several directories, including the root web directory where websites are stored, and left behind a ransom note.

Redis is an open source in-memory data structure store that can be used as a database, cache, and message broker. Its developers warn that "Redis is designed to be accessed by trusted clients inside trusted environments" and that "usually it is not a good idea to expose the Redis instance directly to the internet."

This warning hasn't stopped web server administrators from exposing some 18,000 Redis installations directly to the Internet, therefore putting web servers at risk. Thirteen thousand of those Redis installations show signs of being affected by this new pseudo-ransomware attack, according to the Duo Security researchers.

More precisely, Duo's scans revealed that around 13,000 Redis databases had a record called "crackit" that contained a public SSH key as the associated value. By modifying the Redis configuration, attackers tricked the software to replace the SSH authentication key for the root account on the server.

Even though the attackers claim in the ransom note that the files have been encrypted, this is most likely not true. The Duo Security researchers set up a honeypot server with an insecure Redis deployment and waited for it to be hacked.

They then monitored what commands attackers executed on the server after connecting with the rogue SSH key. All of the observed commands were to delete various directories and to generate the ransom note.

"The note suggests that files have been encrypted and sent to a remote server, but we saw no indications of this happening," the researchers said in a blog post. "This attack looks to rely on fear to try and get people to pay for files that no longer exist."

The ransom note observed by the Duo researchers was different than the one accompanying the initial FairWare reports. However, BleepingComputer.com founder Lawrence Abrams was able to confirm that Redis was installed on the severs of several FairWare victims and that the same "crackit" key with the same email address was present in the data stores.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?