Attacks on Misconfigured MongoDB Databases Soar

Over the past two weeks, there has been a spate of attacks on misconfigured MongoDB databases with the attackers wiping data and issuing Bitcoin ransom demands to return the contents of stolen databases.

The attacks started on or around December 27, 2016, with one malicious actor believed to have been targeting organizations running unprotected MongoDB databases. By January 6, 2017, that individual had attacked 13 companies. That individual goes by the handle Harak1r1.

However, as news spread on the number of unprotected databases that were in use, the attacks started to soar. More individuals have now got in on the act. There are now believed to be between 13 and 15 actors involved in the attacks.

In the past few days, the number of companies affected has gone from hundreds to tens of thousands. Attacks are being tracked by two security researchers Niall Merrigan and Victor Gevers, the latter having discovered the first attacks in December. As of January 11, more than 32,000 companies have been attacked. A professional ransomware group is now believed to be involved. One of those groups – kraken0 – has attacked more than 21,000 companies.

Ransomware attacks involve installing malicious software on a server or computer and encrypting files. Ransomware attacks do not usually involve any exfiltration of data. Ransom demands are issued and a key to decrypt data is supplied when the ransom payment is made. These attacks are different. Databases are stolen and the victim’s copy is deleted.

The attacks on misconfigured MongoDB databases are possible because they have inadvertently been left open and accessible over the Internet. No usernames or passwords are required to access the databases, attackers only need to scan for the databases, access them, steal the contents, and delete the data tables. A ransom demand is then placed in a new database created on the server. The databases have been named WARNING by own attacker; PWNED by another, or PLEASE_READ, to name but a few. Opening the databases reveals the ransom demand.

The attacks on misconfigured MongoDB databases typically involve ransom demands of 0.2 Bitcoin ($175) to have data returned, although each actor involved has set their own payment amount. The lowest is currently 0.1 Bitcoin ($87) and the highest being 1 Bitcoin ($876).

Unfortunately for the victims, there is a catch. Paying the ransom demand will not ensure data are returned. Gevers noted in a recent tweet that only one of the actors involved – Harak1r1 – is believed to be copying databases. As of January 11, Harak1r1 has attacked just 2,500 of the 32,000 organizations affected. An attack by one of the other players involves the deletion of data and the issuing of a ransom demand. Payment will not result in data being returned.

Merrigan notes that any errors made when exfiltrating the data, of which he has noticed many, may prevent data from being returned. Companies with exposed databases may simply just lose all of their data. Merrigan suggests that individuals who have been attacked check their access logs to find out what has happened to their data before paying the ransom. Gevers has suggested there are more than 99,000 companies exposed to this kind of attack.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of