Fairware ransomware attack on Redis databases

Valentine

Redis is a popular open source key/value data store that makes access to data fast. To do this, Redis keeps a copy of data in memory to provide speed and on disk (this is important) to prevent data from being lost if Redis is restarted.

In a nutshell, this attack is performed by:

• Sending a CONFIG command telling Redis to store key/values on disk in the “/root/.ssh/authorized_keys” file
  
• Setting a key/value pair with the value being a public SSH key
  
• The attacker can now log into the Redis instance via SSH as the root user
  

More information...

How to protect your Redis

The simplest way to prevent attackers from compromising Redis instances is to avoid exposing them to the Internet. However, if you must have Redis externally exposed, there are a few things you can do to lock it down:

• Set up an AUTH password - Users can configure a password that is required for all connections to the Redis instance. When setting this up, ensure the password is complex, since attackers can easily brute force shorter passwords.
  
• Rename or Disable the CONFIG command - It is possible to rename the CONFIG command to something unguessable or disable it altogether. If the command isn’t needed, we highly recommend disabling it.
  

Finally, like any software exposed to the Internet, it is critical to keep Redis up to date. Version 3.2.0 of Redis added a feature called protected mode. This mode prevents Redis instances from being accidentally deployed with an insecure configuration (binding to all interfaces with no password), which can help prevent a compromise from occurring.