Skip to main content

Thousands of Elasticsearch servers wiped by criminals

(Image credit: Image Credit: Geralt / Pixabay)

They say the perfect crime isn't one in which the perpetrator is never found, but rather one in which the wrong culprit takes the blame. It appears whoever is wiping unsecured Elasticsearch servers is trying to achieve just that.

According to a ZDNet report, hackers are scanning the internet for unsecured Elasticsearch servers, wiping their contents and leaving behind a single empty index called – apparently to divert blame.

So far, more than 15,000 servers have been wiped, of 34,500 Elasticsearch servers that are “directly exposed on the public internet”.

The attacks began around March 24, and there is evidence the hacker used an automated script.

Vinny Troia, the founder of Night Lion Security, gave an interview to in which he denied the company has anything to do the incident, and explained the firm has been tracking the hacker for some time.

This is not the first time Elasticsearch data has been attacked in this manner. In the first half of 2017, “multiple hacking groups” carried out database ransom attacks against multiple types of database technology, Elasticsearch included.

In the same year, data on thousands of Elasticsearch servers was also wiped, replaced with a ransom message from the perpetrator.