MongoDB ransacking starts again: Hackers ransom 26,000 unsecured instances

Hackers launch a new wave of attacks on unsecured MongoDB database instances.
Written by Liam Tung, Contributing Writer

Few victims in the latest wave of MongoDB attacks have paid the ransom to regain access to their databases.

Image: MongoDB

Three groups of hackers have wiped around 26,000 MongoDB databases over the weekend and demanded victims to pay about $650 to have them restored.

The new wave of MongoDB ransom attacks marks a resurgence of the massive assault on unsecured instances of the open-source NoSQL database earlier this year. The attacks were discovered by security researchers Victor Gevers and Niall Merrigan.

The current attacks are being tracked by Gevers and fellow researcher Dylan Katz. According to the 'MongoDB ransacking' Google Docs spreadsheet that the pair are updating, one group using the address 'cru3lty@safe-mail.net' has ransacked over 22,000 MongoDB instances.

The group left the same generic message for victims. "We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 BTC and text me to email, just send your IP-address and payment info. Messages without payment info will be ignored".

At today's rates, 0.15 BTC is worth about $650.

Another group using the email address 'wolsec@secmail.pro' has left its message on 3,500 wiped MongoDB databases.

"If you want to recover your data, then send 0.05 BTC to bitcoin-address and send your IP to our email. You don't want that your users/customers to know that you have a data leak, right?"

Few victims in the latest wave have paid the ransom. Cru3lty has received a total of 0.8 BTC for its efforts and is the only group to have received a payment.

Since the MongoDB attacks started in late December, victims have paid 24 bitcoin to over a dozen different groups that scan the internet for unsecured MongoDB instances and wipe vulnerable databases.

"So these attackers simply scan entire IPv4 internet for a MongoDB running on port 271017," Gevers told ZDNet. "When they detect these, they then simply try to get access it with a script that automatically deletes the database and creates a similar one with only one record holding the ransom note.

"The databases that get hacked were running with default settings and were completely exposed to the internet."

One group, called Kraken, which attacked several hundred victims in January and received 11 bitcoin, then sold their ransomware kit to other hackers, according to Gevers.

Gevers, who heads up Netherlands-based non-profit security group GDI Foundation, has now helped over 100 victims of these attacks. Despite the good work, this is a tiny fraction of more than 75,000 victims in total.

The victims who Gevers has been able to help asked him to log in into their servers remotely and even, in few cases, perform a restore or hardening.

"The most successful case was a database containing three years of leukemia patient data that was being recorded to do research for better treatment plans," he said.

MongoDB in January posted an advisory explaining how users should deploy security protections to prevent the attacks, but it appears many users have ignored this information and are paying the consequences.

According to Gevers, there are about 21,000 MongoDB unsecured instances and he estimates that 99 percent have been ransacked.

Gevers told Bleeping Computer it wasn't clear whether MongoDB users had botched a security setting or whether they were running older versions of MongoDB that don't have secure default settings.

Previous and related content

MongoDB ransacked: Now 27,000 databases hit in mass ransom attacks

Over a quarter of MongoDB databases left open to the internet have been ransacked by online extortionists.

First came mass MongoDB ransacking: Now copycat ransoms hit Elasticsearch

Hundreds of unsecured Elasticsearch servers have been wiped in the past few hours in what could be a repeat of the recent mass ransom attacks on MongoDB databases.

More on ransomware

Editorial standards