MongoDB databases still being held for ransom, two years after attacks started

New hacker groups that hold MongoDB databases for ransom have been spotted last month.
Written by Catalin Cimpanu, Contributor

Two years after hacker groups began ransacking MongoDB databases and requesting ransom payments, the practice is still very much alive, ZDNet has learned this week.

While the original hacker groups who started this trend have stopped after a few months, new ones have constantly joined in on the attacks over the past few years, only to discover that the practice isn't as lucrative as they might have hoped, and later, dropping out after failing to make any profits.

This trend of ransom attacks targeting MongoDB servers first began in December 2016, when hackers realized they could extort payments from companies that had left their MongoDB databases exposed on the internet.

At the time, there were roughly 60,000 MongoDB databases left exposed online, so attackers had plenty of targets to choose from.

During the first wave of attacks, hackers downloaded data to their systems, deleted the data on the company's server, and left a note behind asking for a ransom in exchange for the data.

Hackers quickly realized that there was far too much data to save locally, and within weeks began deleting data from servers outright, but still leaving ransom notes, hoping to trick a victim into paying a ransom fee for data the hackers never had.

The first hacker group (or lone hacker, still unknown) who engaged in this practice went by the name of Harak1r1, but many others joined the attacks, which hit their peak in the first half of 2017.

The attacks became known as the MongoDB Apocalypse, with hackers ransacking over 28,000 servers in just two months at the start of 2017.

Hackers also diversified, and from MongoDB, they expanded to target other exposed systems, such as ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers.

Dutch security researcher Victor Gevers has been one of the security researchers who tracked the MongoDB ransom attacks since the get-go. For the past two years, he's continued to track these hacker groups and their attacks in a Google Docs file he set up back in early 2017.

In an interview earlier this week, Gevers told ZDNet that the attacks were still ongoing. Only over the course of last month, Gevers says he spotted three new hacker groups.

These three new players managed to ransack nearly 3,000 MongoDB databases, operating based on the same technique as the initial attacks --connecting to databases left without a password, deleting data, and leaving a ransom note behind.

Gevers told ZDNet that these groups are "more clumsy" than past hackers. "Most of the time they forget to delete the database," Gevers said. Maybe that why two of them didn't make any money from their ransom demands, while the third barely gathered $200 in its respective Bitcoin address.

"It's clear someone sold a toolkit as each attack looks like the same as others," Gevers said. "Only the email, Bitcoin address, and ransom note differ."

Back in 2017, Davi Ottenheimer, Senior Director of Product Security at MongoDB, Inc., blamed the attacks --and rightfully so-- on database owners who failed to set a password for their admin accounts.

Things don't seem to have changed much since then. Gevers says these recent attacks have hit all versions of MongoDB, even the new ones, meaning the problems with users failing to set up an admin password have continued.

"I do see that owners are creating more MongoDB users (as they should) but locking down it entirely is still challenging for a few," Gevers said.

The MongoDB guide from 2017 on security databases from ransom attacks is still the first place to go for server owners looking to improve their security posture.

Data leaks: The most common sources

More security coverage:

Editorial standards