Until last year, cyber criminals were only targeting computers of individuals and organisations with ransomware and holding them for ransom, but then they started targeting unprotected online databases and servers around the globe for ransom as well.

Earlier this year, we saw notorious incidents where tens of thousands of unprotected MongoDB and Elasticsearch databases were hacked and held for ransom in exchange of the data the hackers had stolen and deleted from the poorly configured systems.

Now, cyber crooks have started targeting unprotected Hadoop Clusters and CouchDB servers as well, making the ransomware game nastier if your servers are not securely configured.

Nearly 4,500 servers with the Hadoop Distributed File System (HDFS) — the primary distributed storage used by Hadoop applications — were found exposing more than 5,000 Terabytes (5.12 Petabytes) of data, according to an analysis conducted using Shodan search engine.

This exposure is due to the same issue — HDFS-based servers, mostly Hadoop installs, haven't been properly configured.
The Hadoop Distributed File System (HDFS) is a distributed file system that is being designed to store vast data sets reliably and to stream those data sets at high bandwidth to user applications.

Like other Hadoop-related techs, HDFS has become a primary tool for managing large clusters of data and supporting big data analytics applications.

In a blog post, Shodan Founder John Matherly revealed that while the focus had been on MongoDB and Elasticsearch databases exposed on the Internet, Hadoop servers turned out to be "the real juggernaut."

Although MongoDB has over 47,800 servers exposed on the Internet that exposes 25TB of data, Hadoop has just 4,487 servers in total but exposes a considerably higher amount of data of more than 5,000TB.

Most of the Hadoop servers that expose data on the Internet are located in the United States (1,900) and China (1,426), followed by Germany (129) and South Korea (115).

A majority of the HDFS instances are hosted in the cloud with Amazon Web Services leading the charge with 1,059 instances and Alibaba with 507.

While we saw ransom attacks aimed at unprotected MongoDB and Elasticsearch databases last year, Matherly said those attacks have not been stopped and are still targeting CouchDB and Hadoop servers.
"The ransomware attacks on databases that were widely publicised earlier in the year are still happening," says Matherly. "And they're impacting both MongoDB and HDFS deployments."
Matherly has also shared all the necessary steps on how to replicate the searches on Shodan search engine that users could follow in order to conduct their own investigations.

Administrators are encouraged to configure their Hadoop servers to run them in secure mode by following the instructions provided by the company.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.