Home > Cyber News > 12,564 Unsecured MongoDB Databases Deleted by Attackers

12,564 Unsecured MongoDB Databases Deleted by Attackers

A total of 12,564 unsecured MongoDB databases have been deleted in the course of three weeks. A message is left after the deletion prompting databases’ owners to get in touch with the hackers to have the data restored.

Thousands of MongoDB Databases Deleted

The attackers were discovered and reported by independent security researcher Sanyam Jain. The researcher believes that the hacker(s) behind the attacks is most likely charging money in cryptocurrency, and according to the sensitiveness of the database, the sum may be bigger or smaller.

The researcher first spotted the attacks on April 24, when he first came across a wiped MongoDB database which didn’t contain the usual huge amounts of leaked data but rather the following note: “Restore ? Contact : unistellar@yandex.com”.

Related: [wplinkpreview url=”https://sensorstechforum.com/mongodb-ransomware-attacks-misconfigured-servers/”] MongoDB Ransomware Attacks Misconfigured Servers.

In other words, the hackers were leaving ransom notes asking the victims to contact them via email in case they want their data restored. Provided emails included unistellar@hotmail.com or unistellar@yandex.com.

Since no other details were given such as an exact ransom amount, it’s very likely that the hackers are open to negotiate the terms of data recovering.

This is not the first time MongoDB databases are attacked this way. In 2017, at least 28,000 misconfigured MongoDB databases fell victims to hacker attacks. The attacks were possible because the servers were accessible via the Internet. The compromised servers were also misconfigured or prone to vulnerability exploits (due to unpatched flaws).

Related: [wplinkpreview url=”https://sensorstechforum.com/mongodb-virus-attacks/”] Mongo Lock Ransomware Deletes Vulnerable MongoDB Databases.

Then, in 2018 MongoDB databases were at risk of the so-called MongoLock ransomware. Bob Diachenko – the security researcher who first discovered the malicious campaign shared that attackers would connect to an unprotected database and simply erase it. A new database called “Warning” with a collection inside it named “Readme” would be left in place of the old database. The Readme collection contained the ransom message which claimed that the database had been encrypted and that the victims needed to pay for restoration.

The MongoLock attack also didn’t ask for specific amount of money and left email addresses for the victims to get in touch with its operators.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree