Edition Zdnet reports that ransom notes appeared in 22,900 MongoDB databases that were made available remotely and without passwords. In fact, an unknown ransomware attacked approximately 47% of all MongoDB databases available online.
For attacks, the hacker uses an automated script to search for incorrectly configured databases, erases their contents, and leaves a note with a ransom demand in the amount of 0.015 bitcoins (approximately 140 US dollars).
An attacker spends two days for victims to pay the ransom, otherwise he threatens to "merge" the allegedly stolen data into the public domain and contact the regulatory authorities, informing them of the violation of the General Data Protection Regulation (GDPR) by the victim.
The publication notes that attacks using the same ransom note (file READ_ME_TO_RECOVER_YOUR_DATA) were already noticed by experts in April 2020.
The GDI Foundation specialist Victor Gevers told reporters that at first such attacks were dispensed with without deleting the victims' data. The attacker simply connected to someone else's database and left a ransom note, and a few days later returned again to place another copy of the same note.
Now the attacker seems to have noticed that he made a mistake in his script, and starting this week the script completely erases all the contents of the attacked MongoDB databases.
Victor Gevers, who regularly notifies companies of vulnerable servers left, as part of his work at the GDI Foundation, says he has already discovered a number of destroyed MongoDB databases among those that he planned to notify the owners of.
“Today I could report only one data leak. Usually I send from 5 to 10 notifications (per day), ”says the expert.
Unfortunately, such attacks are not new. So, back in 2016, hackers were so active in attacking vulnerable MongoDB installations that they even attracted the attention of developers. Alas, three years later, practically nothing has changed: if at the beginning of 2017 you could find about 60,000 MongoDB servers on the network that were available to everyone, now there are about 48,000 of them, and for most authentication is simply inactive.