Huge spike in ransomed MongoDB installs, doubled to over 27,000 in a day

The number of MongoDB installs that have been erased and replaced with a ransom demand more than doubled in a day to 27,000.

In the span of a day, the number of MongoDB installations that were erased and replaced with ransom notes has more than doubled, spiking to 27,000 as more cyber thugs jump on the ransom bandwagon.

27k MongoDB held for ransom Niall Merrigan

It started last week when security researcher Victor Gevers discovered that about 200 MongoDB databases had been erased and held for ransom. By Tuesday, 2,000 databases were effected; the number climbed to 10,500 by Friday and kept climbing. Then the ransomed databases jumped from 12,000 to 27,000, according to security researcher Niall Merrigan.

93TB of MongoDB databases wiped and held for ransom Niall Merrigan

As news of ransomed MongoDB installations circulated, more and more copycat attackers jumped into the game. At this point, there are at least a dozen groups involved in wiping databases or holding them for ransom. The ransom demand amount has also been rising from the initial .2 BTC demanded by a hacker going by Harak1r1 to 1 BTC by attacker “kraken0.”

Merrigan and Gevers have been tracking the attackers, group names, email addresses used, bitcoin wallets, attacker IPs, name of the replaced database, ransom notes and the number of victims. The spreadsheet is available for anyone to view.

MongoDB ransom spreadsheet Niall Merrigan & Victor Gevers

Kraken0 is the most active attacker, wiping 15,972 databases and demanding one bitcoin to return the data. Other ransom demands include .2 BTC, .5 BTC, .15 BTC, .25 BTC and three attackers demanding 1 BTC. There is no guarantee that the databases are being copied before being deleted, so paying the ransom doesn’t imply the data will be returned.

On Friday, Merrigan told Bleeping Computer, “Right now it's bedlam; attackers are deleting each others' ransoms as quick as they pop up. It's a very interesting case, and it's like watching a gold rush at this point.”

He believes more attack groups will join the MongoDB “gold rush.” The attacks are automated, so at this rate, it is likely that attackers won’t stop until all 99,491 unprotected MongoDB databases have been wiped and held for ransom.

Last week, Andreas Nilsson, MongoDB’s director of product security, reacted to the ransom attacks by publishing a list of steps that admins can take to secure their MongoDB databases as well as steps to diagnose and respond to attacks. The attacks are preventable, but if steps are not taken to secure the database and it gets wiped, it can be restored as long as a recent backup is available. “If you don’t have a backup or are otherwise unable to restore the data, unfortunately your data may be permanently lost.”

According to the spreadsheet, the total number of victims at the time of publishing this article was 28,247. So far, Gevers and Merrigan have helped 112 victims.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)