A total of 12,564 unsecured MongoDB databases have been deleted in the course of three weeks. A message is left after the deletion prompting databases’ owners to get in touch with the hackers to have the data restored.
Thousands of MongoDB Databases Deleted
The attackers were discovered and reported by independent security researcher Sanyam Jain. The researcher believes that the hacker(s) behind the attacks is most likely charging money in cryptocurrency, and according to the sensitiveness of the database, the sum may be bigger or smaller.
The researcher first spotted the attacks on April 24, when he first came across a wiped MongoDB database which didn’t contain the usual huge amounts of leaked data but rather the following note: “Restore ? Contact : firstname.lastname@example.org”.
In other words, the hackers were leaving ransom notes asking the victims to contact them via email in case they want their data restored. Provided emails included email@example.com or firstname.lastname@example.org.
Since no other details were given such as an exact ransom amount, it’s very likely that the hackers are open to negotiate the terms of data recovering.
This is not the first time MongoDB databases are attacked this way. In 2017, at least 28,000 misconfigured MongoDB databases fell victims to hacker attacks. The attacks were possible because the servers were accessible via the Internet. The compromised servers were also misconfigured or prone to vulnerability exploits (due to unpatched flaws).
Then, in 2018 MongoDB databases were at risk of the so-called MongoLock ransomware. Bob Diachenko – the security researcher who first discovered the malicious campaign shared that attackers would connect to an unprotected database and simply erase it. A new database called “Warning” with a collection inside it named “Readme” would be left in place of the old database. The Readme collection contained the ransom message which claimed that the database had been encrypted and that the victims needed to pay for restoration.
The MongoLock attack also didn’t ask for specific amount of money and left email addresses for the victims to get in touch with its operators.