Ransomware resistance in ProvenDB
ProvenDB has some unique features that make it more resistant to Ransomware attacks than other databases.
Ransomware is malicious software that deletes or encrypts data and demands a ransom — typically in Bitcoin — in order to release the data.
Ransomware is a growing threat with implications beyond simple cybersecurity. Because RansomWare attacks are so destructive, they often cause complete failure of critical systems. According to some sources Ransomware attacks increased by 148% during the Pandemic. In May, The Darkside Ransomware gang attacked Colonial Pipeline — supplier of roughly half the fuel on the US East Coast — causing it to shut down. Ransomware is a real threat to the health and stability of our key infrastructure.
Ransomware and MongoDB
MongoDB databases are a frequent target of Ransomware attacks. This is due more to the poor initial configuration of some MongoDB servers in the cloud, rather than to failures in the database itself, though historically early versions of MongoDB made it too easy to set up an insecure instance.
If you run a MongoDB server on the public internet, and set non-existent or weak passwords, you might connect one day to find all your data gone. You’ll see something like this:
> show collections
> show dbs
READ__ME_TO_RECOVER_YOUR_DATA 0.000GB
admin 0.000GB
config 0.000GB
> use READ__ME_TO_RECOVER_YOUR_DATA
switched to db READ__ME_TO_RECOVER_YOUR_DATA
> show collections
README
> db.README.find();
{ "_id" : ObjectId("6126bff0141ae02b216bb62d"), "content" : "All your data is a backed up. You must pay 0.02 BTC to 1Lnn7TEcDn4GHBSMNki62Fi3Jjs7dggoX8 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com or https://buy.moonpay.io/ After paying write to me in the mail with your DB IP: recmydb@mailnesia.com and you will receive a link to download your database dump."
}
The ransom of 0.02 Bitcoin demanded is about $USD1,000 at the time of writing. So you might indeed be tempted to pay the amount, especially if you don’t have a viable backup. Unfortunately, as we’ll see later, the chance that you’ll get your data back is very low.
Ransomware and ProvenDB
ProvenDB is MongoDB compatible and it’s possible that a Ransomware attack could be leveraged against a ProvenDB database. However, ProvenDB has a number of restrictions that make the sort of Ransomware attack we saw earlier ineffective. Even in the worst-case scenario, you won’t lose data as a result of an attack.
ProvenDB doesn’t allow for un-authenticated connections — which is the main vector used by attackers, and we don’t allow some of the destructive operations that Ransomware relies upon.
In order to see if ProvenDB was vulnerable to Ransomware I hacked together a ProvenDB instance on the public internet that could be attached without a username and password. Typically, such an unprotected database would be attacked within hours, but after more than a week, the ProvenDB database suffered no damage.
Looking at our logs, however, we were able to see multiple attacks. The sequence of commands we recorded looked like this:
The Ransomware attack simply lists all databases on the server, attempts to drop the databases that it finds, then creates the Ransomware collection. Note that in this sequence of events the attacker never reads your data. There’s no point paying the ransom because the attacker is unable to restore the lost data.
In the ransomware attack we’re looking at here, the attacker made no attempt to copy or encrypt data before deleting it. Its a completely destructive attack.
The IP address of the attacker is shown in our logs. If we look up the IP address we find it’s an EC2 server running in the Amazon Ohio region:
This may be a machine started by the ransomware criminal, but it’s just as likely to be a computer infected by a botnet. If you use easily guessable passwords on an EC2 instance, then that instance is likely to be infected with the ransomware code.
Attacking ProvenDB
This attack fails in ProvenDB because we don’t support dropping databases. But what if the attacker had used a different approach?
Let’s say we have a ProvenDB database that contains a accounts and customers collections. It would look like this:
> show collections
_provendb_collections
_provendb_currentVersion
_provendb_documentProofs
_provendb_forgetRequests
_provendb_info
_provendb_versionProofs
_provendb_versions
accounts
customersThe collections starting with the underscore character (“_”) are internal metadata collections. If someone broke into the database — following a password leak or something — they could try something like this code to remove collections and leave a malware demand:
This would work on MongoDB — all your collections except the ransomware demand would be removed. On ProvenDB it only partially works. The ransomware demand is created, but our collections are all still there.
> show collections
README_TO_GET_YOUR_DATA_BACK
_provendb_collections
_provendb_currentVersion
_provendb_documentProofs
_provendb_forgetRequests
_provendb_info
_provendb_versionProofs
_provendb_versions
accounts
customers
> db.accounts.findOne();
null
Alas, the accounts collection is empty. Do we have to pay the ransom??
Fear not, in ProvenDB nothing is ever really deleted. Every update to the database creates a new version and we just have to move to a version before the attack:
Hazzah! Our accounts data is back!
With ProvenDB, you can move forwards and backward in time, and examine the state of the database at that time. So even though the data is gone in the “current” version, we are easily able to move back to the state of the database before the attack.
When you are in a previous version your database is in a read-only state. If this ever happened ProvenDB support would be happy to reset your database and get you going again.
Conclusion
Ransomware attacks against MongoDB databases are more likely the result of poor security configuration than anything else. However, if you are using ProvenDB you have far greater protection against Ransomware attacks. Not only do we never destroy data when drop() or delete() commands are processed, we can always let you see the previous state of your database and prove the integrity of your data against digital signatures stored against public blockchains.
With ProvenDB not only are you far less likely to be hacked, but you are also in a position to PROVE that you haven’t been hacked. Our blockchain signatures can cryptographically prove the origin and integrity of your data, defeating any attempt to tamper, falsify or destroy data.
ProvenDB uses Blockchain technology to provide the world’s first entirely trustworthy database. Immutable versions of database state are anchored to the Blockchain, delivering an unparalleled level of data integrity. ProvenDB allows developers to build high-performance applications that include cryptographic proof of data integrity and provenance without having to understand Blockchain programming complexities. Setup a free account today at ProvenDB.com.
