Thousands of MongoDB databases wiped; replaced with ransom note

Security, Password, Password Security, Database Security, Cyber Security, Cognitive Security

In what can be pegged as one of the largest global attack on MongoDB databases around the world, over 28,000 databases have been wiped clean and replaced with a ransom note, security researchers have revealed.

The hack is said to be a result of poor configuration wherein MongoDB databases were left open to be accessible from the Internet. The first reports of the hack emerged when Victor Gevers of the GDI Foundation discovered that as many as 200 databases had been wiped clean and replaced by a ransom note. The hack was noticed at the beginning of this month. The number of databases that were compromised increased rapidly over the course of just a couple of days with as many as 10,000 databases affected on January 6. In next four days there were reports that over 28,000 databases were wiped clean.

Initial ransom demands were for 0.2 BTC (~$200); however, it turns out that other hackers have also jumped the bandwagon and are replacing the original ransom note with their own and demanding as much as 1 BTC (~$1000) in return for the contents of the databases. Affected organisations that didn’t keep backups of their databases ended paying up and it turns out that they haven’t received their files even days after shelling out hefty ransom. This, according to security experts, is indicating that hackers have been playing against each other as well and attacking servers that were already compromised by original hackers leaving organisations without their files as well as the money.

Researcher Niall Merrigan, a solutions architect for French consulting giant Cap Gemini, has been working with Gevers and the duo is maintaining a Google Drive document wherein details about how widespread the attack is can be found. According to latest information by Brian Krebs of, Merrigan says that at least 29,000 MongoDB databases that were previously published online are now erased.

Gevers says that the attack isn’t like the traditional ransomware attacks we see on desktops or servers as the data is not encrypted, but instead it is removed completely and replaced with a ransom note. This effectively means that there is no way of knowing whether the attackers are actually going to send you the data after you make the ransom payment and even if they do, there is no guarantee that the information stored in those databases won’t be sold off to the highest bidder on the Internet leaving open more doors for extortion.

MongoDB has fixed the issue that led to this major hack, but considering that not all server administrators are aware of the update and many are still not even aware of such a hacking incident, chances are that more databases are at risk of being wiped clean. MongoDB has offered a security checklist for administrators advising how to secure an installation, and also discussed the ways to prevent and recover from an attack.