NDSS 2025 – All Your (Data)base Are Belong to Us: Characterizing Database Ransom(ware) Attacks

The surge of database ransomware marks a shift from traditional file‑level extortion to targeting the very engines that store mission‑critical information. By harvesting ransom notes and deploying internet‑exposed honeypots, the researchers captured a granular view of attacker tactics, from credential stuffing to automated data wiping. This approach not only quantifies the scale—over 60,000 servers compromised—but also reveals a rapid infection cycle, with honeypots breached in under 14 hours, underscoring the speed at which threat actors can weaponize unsecured databases.

A striking finding is the disparity in authentication hygiene between database platforms. Elasticsearch clusters exhibited weak or absent authentication two orders of magnitude more frequently than MySQL instances, largely due to delayed adoption of newer, secure releases. This gap creates a low‑hanging fruit landscape where attackers can scan, infiltrate, and encrypt data with minimal effort. Organizations relying on search‑oriented databases must prioritize patch management, enforce strong credential policies, and consider zero‑trust network segmentation to mitigate exposure.

Attribution analysis clustered ransom notes and blockchain footprints, exposing 32 active groups and pinpointing a dominant actor responsible for the bulk of financial damage. Links to a nation‑state and a prior Git repository compromise suggest a hybrid motive of profit and espionage. The study’s revenue estimates, derived from Bitcoin transactions, highlight the lucrative nature of database ransomware, prompting security teams to integrate proactive threat hunting, continuous monitoring, and incident response playbooks tailored to database environments. As attackers refine their methods, the industry must elevate database security from an afterthought to a core component of cyber‑risk management.