Online databases dropping like flies, with >10k falling to ransomware groups

Poorly secured MongoDB installations deleted and held for ransom


More than 10,000 website databases have been taken hostage in recent days by attackers who are demanding hefty ransoms for the data to be restored, a security researcher said Friday.

The affected data is created and stored by the open source MongoDB database application, according to researchers who have been tracking the ongoing attacks all week. On Monday, Victor Gevers, co-founder of the GDI Foundation, reported finding 200 such databases that had been deleted. By Tuesday, John Matherly, founder of the Shodan search engine increased the estimate to 2,000 databases, and by Friday, fellow researcher Niall Merrigan updated the count to 10,500.

Misconfigured MongoDB databases have long exposed user password data and other sensitive information, with the 2015 breach of scareware provider MacKeeper that exposed data for 13 million users being just one example. With the surge in ransomware-style attacks—which threaten to permanently delete or encrypt data unless owners pay a fee—hacks targeting MongoDB are seeing a resurgence. Many poorly secured MongoDB databases can be pinpointed using Shodan, which currently shows 99,000 vulnerable instances.

When the ransom-style attacks targeting MongoDB databases first came to light, they were mostly carried out by someone using the online handle Harak1r1. The individual or group was deleting vulnerable databases and promising to restore them if owners paid around $200 in Bitcoin. Over time, other attackers have taken part in similar attacks, in some cases replacing a rival’s ransom demand with one of their own. A list of the best-known attackers is here. In all, the attackers have compromised about 10,500 databases. Promises to restore the databases in return for a ransom payment are dubious, since there’s no evidence the attackers copied the data before deleting it.

MongoDB maintainers have responded to the reports with a blog post explaining how to detect and respond to attacks. People who administer websites that use MongoDB should ensure they’re avoiding common pitfalls by, among other things, blocking access to port 27017 or binding local IP addresses to limit access to servers.

Promoted Comments

Abhi Beckert Ars Praefectus

SymmetricChaos wrote:

While it doesn’t stop information from being leaked but do so few organizations have backups of their databases that taking them hostage is seriously a viable strategy?

The databases are often being updated millions of times per day.

Keeping an up to date backup of that is expensive – you need an entire second database in a different city and systems to write to both whenever the main one changes.

Also your backup needs to be accessible over the Internet to be kept up to date, and these are companies who don’t understand basic security practices. What’s stopping a hacker from also killling the backup?

Usually they will have backups of the hard drive, but they won’t be very good – recent data is stored in RAM, not on disk, and restoring can involve days of downtime and not all data will be restored – you might lose a few minutes or even an entire day of customer data.

Dilbert Ars Legatus Legionis

Happy Stance wrote:

I don’t know if this is specific to MongoDB (it looks like it is), but what happens if Amazon or MS Azure or Google’s get ransomed en masse? Is this a new trend in ransom-ware? Why, after so many years, is the Internet still so insecure?

Because putting something up on the internet is deceptively easy. Making it show up online as one wishes, and serve users, is easy. Doing that correctly is very hard.

Put it another way, there’s a thousand ways to spin up an online service. There’s only a few ways to do it correctly.