Duo Labs: Over 18,000 Redis instances targeted by fake ransomware


Redis is a popular open source key/value data store that makes access to data fast. To do this, Redis keeps a copy of data in memory to provide speed and on disk (this is important) to prevent data from being lost if Redis is restarted.

Companies use Redis to store and retrieve data quickly and easily. Redis is intended to be used in trusted environments, and so it ships with a permissive security configuration, which is fine, unless you just put it on the Internet. That said, one of the fundamental laws of the Internet of Things is that if it can talk on a network, someone will put on the Internet.

The issue is that we see many devices running Redis that are exposed to the Internet, which goes against the recommendations made by the Redis developers. Exposing Redis directly to the Internet allows attackers to view/modify the stored data. Even more importantly, attackers are able to remotely configure the Redis instance, which can lead to a complete compromise of the device.

Duo Labs set out to measure how many Redis instances were exposed to the Internet and potentially vulnerable to attacks. Here is a brief summary of their findings:

  • There are over 18k Redis instances exposed to the Internet, a vast majority of which are running an out-of-date version of Redis
  • We found automated attacks scanning the Internet trying to compromise devices running Redis with fake ransomware
  • Evidence of these attacks was found on 13k (72%) of the hosts running Redis, indicating that the hosts could be compromised
  • After setting up a honeypot to catch attackers, we recorded an attempted attack in just hours

Learn more in today’s blog from Duo Labs’ Jordan Wright.