Ransomware Attacks Using Legitimate Commands To Steal Data

According to an article by Tushar Subhra Dutta in Cyber Security News, a class of ransomware attacks in which attackers exploit legitimate database functionality to steal, erase, and hold data for ransom without installing any malware.

These hacks target Internet-facing database services that lack robust authentication. Therefore, they can bypass traditional endpoint security measures that look for malicious binaries.

The article says the technique has evolved from isolated incidents into automated campaigns. Researchers referenced in the article report activity dating back to 2017, noting that recent actors have employed continuous internet-wide scanning, service fingerprinting, and credential-guessing techniques to access vulnerable targets across multiple database platforms.

The method of technical execution outlined in the article follows a clear sequence: scanning for exposed ports, confirming genuine database services, attempting authentication bypasses, sampling data to assess value, and then executing legitimate administrative commands to extract or destroy information.

Ransomware attackers commonly create new tables or collections named with recovery-themed labels and insert ransom messages within the database itself rather than dropping executable payloads on hosts.

For attorneys advising clients on their cybersecurity obligations, the article suggests several pressing tasks: determining whether notification duties under contract or regulation are triggered; prioritizing the preservation of logs and system images to support forensic investigations and potential litigation; and evaluating contractual indemnities and cyber-insurance coverage.

Early coordination with insurers and regulators can inform disclosure timing and content, while preserving positions in the event of litigation. Contracts should be reviewed for breach indemnities. Parties that are impacted need to assess their notification obligations and potential exposure to damage.