Connect with us

Hi, what are you looking for?


Data Protection

Multiple Attackers Hijacking MongoDB Databases for Ransom

The recently reported hijacking of MongoDB databases to hold their content for ransom is picking up pace as more hackers are trying to monetize the attack method, security researchers say.

The recently reported hijacking of MongoDB databases to hold their content for ransom is picking up pace as more hackers are trying to monetize the attack method, security researchers say.

Late last year, researcher Victor Gevers discovered a hijacked database that had its content stolen and replaced with one that informed owners they should pay a ransom to regain access to the content. While thought at first to be an isolated incident, the attack proved to be widespread, with thousands of databases hit within two weeks or so.

The number of hijacked MongoDB databases appears to have been growing fast over the past couple of days, and has surpassed 10,000 as of this morning, Niall Merrigan reveals. The worrying part is that there are now three hackers or groups of hackers targeting those databases.

What this attack consists of is simple: the hijackers search for MongoDB databases exposed to the Internet, access them, then steal their content and replace the database with one called WARNING. In many cases, owners are instructed to pay a 0.2 Bitcoin ransom to regain access to their content.

A quick look at information related to the Bitcoin address victims are told to make the payment to reveals that at least 17 companies already paid the ransom (although the number of received payments is larger). At least 8,600 insecure databases are believed to have been already compromised by the hacker.

Most recently, the attackers changed the email address included in the ransom note, as well as the Bitcoin address used in their attacks. Security researchers managed to track at least four such addresses associated with this group of hackers.

According to MacKeeper, one of the hijacked databases belonged to Emory Healthcare, and over 200,000 data records might have been compromised in the process. MacKeeper says it discovered the misconfigured database on Dec. 30, 2016, and found it hijacked on Jan. 3, 2017, when the team went back to review the data.

Over the past few days, however, more hackers joined the operation. One of the groups is replacing the targeted databases with one called WARNING_ALERT, while another is replacing them with one called PWNED (with a variation that provides victims with only 72 hours to pay the ransom). The former is demanding a 0.5 Bitcoin ransom and already hit over 930 databases, while the latter demand 0.15 Bitcoin and compromised over 750 databases.

Advertisement. Scroll to continue reading.

This morning, the researchers noticed a fourth group hijacking the databases, this time asking for a larger ransom: 1 Bitcoin. The group is replacing the databases with one called PLEASE_READ, and it is believed to have hit at least 13 of them so far.

According to Victor Gevers, companies should not pay the ransom, as this won’t guarantee the safe recovery of their data. In fact, he advises against paying, saying that some of the databases are being deleted, and that the crooks behind the attack can’t return the data even if the victim pays up.

“From numerous sources (log files) and reports by owners we can say that most of the attackers do not copy the data but make 3 times a connection with a duration between 5ms and 500ms which is enough to: 1. create new database; 2. write the note; 3. drop a database in this specific order. In a few cases where the owner could check outbound traffic between these times, there is no evidence of any data exfil. This means we can confirm that this actor does not have any data, so paying ransom is a bad idea,” Gevers told SecurityWeek.

What’s more, Gevers warns, is that some of the databases are overwritten multiple times, most likely because attackers are overlapping in their attacks and the same databases are being hit more than once.

With tens of thousands of insecure MongoDB databases exposed to the Internet, it appears to be only a matter of time before the attack escalates further. For the time being, the hackers appear focused on compromising only those databases that might bring them a profit, but Gevers says that more and more victims are contacting him for help.

In a blog post on Friday, MongoDB’s Andreas Nilsson shared details on security best practices and steps that can be taken to secure MongoDB instances against attacks. 

“We take security very seriously, and urge users to take adequate steps to secure their data,” Ian Bruce, VP Corporate Marketing and Communications at MondoDB, told SecurityWeek.

Related: MongoDB Databases Actively Hijacked for Extortion

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...