€250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attackAttack.Ransomagainst DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransomAttack.Ransomto stop the attacksAttack.Ransom, but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for paymentsAttack.Ransomto stop the attacksAttack.Ransom. XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransomsAttack.Ransomare usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for paymentAttack.Ransomin Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacksAttack.Ransom. Link11 , who tracked those attacksAttack.Ransom, claimed the group used a DDoS botnet built with the Mirai IoT malware and asked forAttack.Ransom5 Bitcoin ( $ 6,000 ) to stop attacksAttack.Ransom. Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacksAttack.Ransomof up to 50 Gbps . This group began DDoS ransom attacksAttack.Ransoma month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort paymentsAttack.Ransomfrom companies , in many cases without even possessing any DDoS capabilities .
A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to payAttack.Ransom€250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attackAttack.Ransomagainst DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransomAttack.Ransomto stop the attacksAttack.Ransom, but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for paymentsAttack.Ransomto stop the attacksAttack.Ransom. XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransomsAttack.Ransomare usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for paymentAttack.Ransomin Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacksAttack.Ransom. Link11 , who tracked those attacksAttack.Ransom, claimed the group used a DDoS botnet built with the Mirai IoT malware and asked forAttack.Ransom5 Bitcoin ( $ 6,000 ) to stop attacksAttack.Ransom. Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacksAttack.Ransomof up to 50 Gbps . This group began DDoS ransom attacksAttack.Ransoma month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort paymentsAttack.Ransomfrom companies , in many cases without even possessing any DDoS capabilities .
Mere days after thousands of MongoDB databases were hit by ransomware attacksAttack.Ransom, cybercriminals have set their sights on ElasticSearch servers , according to reports . Hackers have reportedly hijacked insecure servers exposedVulnerability-related.DiscoverVulnerabilityto the internet with weak and easy-to-guess passwords . ElasticSearch is a Java-based search engine , commonly used by enterprises for information cataloguing and data analysis . According to security researcher Niall Merrigan , who has been monitoring the attacksAttack.Ransom, the cybercriminals are currently closing in on around 3,000 ElasticSearch servers . Merrigan told IBTimes UK : `` We found the first one on the 12th of Jan and then started tracking the different IOCs ( Indicators Of Compromise ) . The first actor has levelled off and looks like it has stopped . However , a second and third actor have joined in and are continuing to compromise servers . `` Attackers are finding open servers where there is no authentication at all . This can be done via a number of services and tools . Unfortunately , system admins and developers have been leaving these unauthenticated systems online for a while and attackers are just picking off the low hanging fruit right now . '' The recent MongoDB attacksAttack.Ransomsaw hackers demand ransomAttack.Ransomand erasing data to ensure victims ' compliance . In the ongoing ElasticSearch attacksAttack.Ransom, the cybercriminals demand a ransomAttack.Ransomof 0.2 Bitcoins , according to a report by BleepingComputer . However , according to Merrigan , $ 20,000 in Bitcoins have already been paidAttack.Ransomby victims of the MongoDB attackAttack.Ransom. Despite paying the ransomAttack.Ransom, the victims have not received their data back . `` So in this case it is a scam , '' the researcher said .