Security Experts:

33,000 Databases Fall in MongoDB Massacre

Nearly 33,000 MongoDB databases have been hijacked as of today, the latest numbers associated with a series of attack campaigns that have been picking up pace over the past couple of weeks show.

What started as a seemingly isolated incident in December turned out to be a massacre targeting insecure, Internet exposed MongoDB databases worldwide. Now, multiple actors are attempting to cash in on organizations’ failure to properly secure their web-based databases.

Initially, a single hacker was observed hijacking MongoDB databases, stealing their content, and holding it for ransom. The actor was asking for a 0.2 Bitcoin ransom, and tens of organizations paid it within the first two weeks alone.

Soon after the initial round of attacks made it to the headlines at the beginning of the year, things escalated as more hackers decided to join the campaign. Currently, MongoDB databases are being attacked by nearly two dozen hackers, and the pace at which databases have been hacked has increased dramatically.

Within days, tens of thousands of MongoDB databases fell to the massacre, as the number rose from only 10,000 on Friday to nearly 33,000 as of this morning. According to a tweet from Cap Gemini’s Niall Merrigan, the system database names are no longer at the top of the stats, as the ransomed database name managed to climb to the leading position on Tuesday.

These attacks are easy to perform because the exposed databases can be discovered using online tools, and installations aren’t secured by default. In fact, while other databases require some form of credentials and are local installations, MongoDB databases are exposed to the Internet right from the start and require no credentials whatsoever.

Ethical hacker Victor Gevers, who was the first to discover the attack, told SecurityWeek that some companies in fact fail to secure their databases even after they’ve been hacked. “But do not underestimate how unwise some organizations respond when they find out their database was stolen. They remove the note and just restore the database, but leave the server still open,” he said.

Dubbed “MongoDB ransack,” the campaign is closely monitored by Merrigan and Gevers. The latter has been long searching for insecure databases to warn companies of the risk they pose. However, many of his responsible disclosures remained unanswered, with 138 of last year’s reports suffering such a fate.

More recently, attackers began looking to cash in on the hype surrounding the campaign, and one of them decided to sell the software used for hijacking the databases. The tool is called Kraken Mongodb ransomware, and its C# source code is offered for only $200 in Bitcoin.

One of the effects of this entire campaign is that the amount of data stored in MongoDB databases has decreased significantly over the past weeks. According to Morrigan, 114.5 Terabytes of data was lost in less than three days as a result of these attacks.

In fact, the security researchers monitoring the situation have already warned that most of the attackers are no longer holding the databases for ransom, but are simply deleting them and pretending they still have the data.

In some cases, the same database is hit multiple times, as the attackers are going for the same pool of targets, meaning that organizations could end up paying the ransom to the wrong attacker. Victims should not only refrain from paying the ransom, but should also ask for “proof-of-life” when contacting the attackers, to ensure their data still exists.

As long as an organization has the proper network monitoring tools in place, it is possible to tell whether the database has been copied or deleted, Gevers says. This, however, requires matching tracked outbound traffic with the number of simultaneous connections in the log file and the duration of these connections. This allows researchers to estimate how much data was exfiltrated.

There are over 50,000 publicly accessible MongoDB databases on the Internet at the moment, and it might not be too long before all of those that haven’t been properly secured are hijacked. According to Gevers, all of the insecure databases could be ransacked in a couple of weeks, maybe even faster.

As it turns out, one of the MongoDB databases hit in the ongoing ransack belongs to the Princeton University, yet it’s uncertain whether it would be able to recover the data or not. According to, which discovered the attack, the University hasn’t commented on the incident as of now, and there’s no info on what kind of information the affected database included.

While he wouldn’t name any of the affected organizations that asked for help so far, Gevers did confirm once again that they are from various industries, including IP, healthcare, online gambling, financial services, trading, and travel/booking. Many online services were also hit in the attack, the researcher said.

In the meantime, organizations with MongoDB databases are advised to take the proper steps to secure their installations and ensure they don’t fall victim to this attack. Last week, MongoDB published a blog post providing details on how admins can secure the databases.

Related: Multiple Attackers Hijacking MongoDB Databases for Ransom

view counter