A sophisticated new breed of ransomware attacks is leveraging legitimate database commands to compromise organizations worldwide, bypassing traditional security measures through “malware-less” operations.
Unlike conventional ransomware that encrypts files using malicious binaries, threat actors are exploiting exposed database services by abusing standard database functionality to steal, wipe, and ransom critical data.
The attack methodology represents a significant evolution in cybercriminal tactics, with attackers targeting Internet-facing database servers configured with weak passwords or no authentication.
This malicious activity has been observed across multiple database platforms, including MySQL, PostgreSQL, MongoDB, Hadoop, CouchDB, and Elasticsearch. Attackers connect remotely to these servers, copy data to external locations, execute destructive commands to wipe databases, and leave ransom notes stored directly within the compromised database structures.
This approach has proven particularly effective at evading detection because no malicious binary is ever deployed on the target system.
The damage is accomplished entirely through legitimate database commands, making it difficult for conventional endpoint security solutions to identify the compromise.
The ransom tactic has evolved from isolated incidents into full-scale automated campaigns, with specialized bots continuously scanning the Internet for misconfigured databases.
Wiz.io researchers identified that these attacks have grown exponentially since their initial observation in February 2017, when researchers from Rapid7 first documented thousands of open databases being hijacked in bulk operations.
Today’s threat actors operate sophisticated automated systems capable of compromising newly exposed targets within hours or minutes of them coming online.
The ease of automation and potential for immediate profits has made malware-less database ransomware a persistent and growing threat to organizations globally.
Attack Execution and Command Exploitation
The technical execution of these attacks follows a methodical approach that maximizes both stealth and effectiveness.
Attackers begin operations with Internet-wide scanning for exposed database ports, specifically targeting port 3306 for MySQL and port 5432 for PostgreSQL servers.
.webp)
Once potential targets are identified, they employ fingerprinting techniques to confirm the services are genuine database servers rather than honeypots or other decoy systems.
Authentication bypass represents a critical phase where attackers test for missing authentication controls, attempt default username and password combinations, and execute brute-force attacks against weak credentials.
Upon successful authentication, the attack proceeds with data extraction where attackers sample small portions of data to assess value and confirm database access.
The destructive phase utilizes legitimate SQL commands such as DROP DATABASE for complete database removal or bulk DELETE operations to systematically erase data.
In relational databases like PostgreSQL, attackers create new tables with names such as RECOVER_YOUR_DATA or README_TO_RECOVER and insert ransom notes as table rows.
For NoSQL databases like MongoDB, the process involves creating new collections with indicative names and inserting ransom notes as documents.
A captured MongoDB session demonstrates the attack progression: mongosh "mongodb://target:27017/" followed by database enumeration commands like show dbs to identify valuable targets.
The ransom note insertion typically contains messages such as “All your data is backed up. You must pay 0.043 BTC to recover it.
After 48 hours expiration we will leak and expose all your data.” These legitimate database operations make detection challenging, as the commands appear as normal administrative activities to monitoring systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
