MongoDB Hackers Demand Bitcoin Ransom From Over 26,000 Compromised Servers

Even though Bitcoin lacks all of the properties criminals should look for in an anonymous currency, it is still quite popular. The recent wave of attacks against unprotected MongoDB databases illustrates that point perfectly. All of the groups responsible for these attacks have demanded payments be made in Bitcoin. This last wave of attacks saw over 26,000 servers getting hijacked, which is an astonishing number. These types of attacks have been prominent since December of 2016.

MongoDB Attacks Continue Unabated

If something works just fine, there is no reason to fix it. Cybercriminals operate with a similar mindset; if their previous plan of attack was successful, all the more reason to keep experimenting with it. The MongoDB attacks, which started in December of last year, are still a lucrative business model for criminals nine months later. A lot of servers running such databases still are not properly protected against major attacks like these.

These types of ransom attacks against MongoDB databases only work if a database is left open for external connections. Unfortunately, there are quite a lot of such databases to be found, which can cause major problems for the companies involved. The assailants will copy the database content, wipe the original content, and replace it with a ransom demand. Considering how most companies cannot afford to lose important customer data, they are forced to pay the Bitcoin ransom as a result.

The recent wave of attacks was a joint operation by multiple hacking crews. One group in particular exposed over 22,000 MongoDB servers through an external connection. Two other groups enjoyed less of a success, although they made 3,516 and 839 victims respectively. As is to be expected, every victim is asked to make a Bitcoin payment. The ransom amounts range from 0.05 BTC to 0.2 BTC, indicating there is a lot of money to be made. Even if only 10% of the victims were to pay up, it would result in a 3,484.5 Bitcoin payday for all three hacking crews combined.

Luckily, it appears the majority of the exposed databases belong to test systems. Others contained production data and a few companies paid the ransom before realizing the criminals did not even have their data in the first place. It is unclear how much money changed hands due to these “bogus” ransom notes, though. Attacks against MongoDB databases have been ongoing for some time now, as over 45,000 databases have been wiped clean since last December. That is a very disappointing and disconcerting number.

Interestingly enough, this type of attack was virtually nonexistent as recently as this summer. With these three new groups emerging and scoring major initial successes, it is not unlikely we would see more attacks against MongoDB servers in the future. Database administrators need to properly evaluate their security settings and blacklist external connections from IP addresses not cleared by the company. It will take a bit of work to set this up properly, but it is direly needed.

These MongoDB attacks are only the latest tool in a growing arsenal of attack vectors maintained by cybercriminals these days. Malware, ransomware, data wipers, bricking tools, and database hacks are just some of the concerns security researchers have to deal with on a daily basis. Companies have to step up their security game in a big way to prevent more issues like these from happening. One cannot simply rely on security researchers in this regard, as it is due time to take matters into one’s own hands.