Ransom attack on Elasticsearch cluster?

If the cluster is open to the internet and not secured in any way, you can simply read/modify/delete the data through the REST interface. No need for scripts of any kind.