A Shodan scan revealed over 1,000 vulnerable Elasticsearch databases that could be targeted by ransomware attacks. The scan identified the global distribution of these databases by IP address. Further analysis identified that many of the vulnerable databases were hosted by small internet service providers. Three hackers may have been responsible for ransomware attacks that left messages containing Bitcoin IDs in over 900 databases that remained online.