2,000 MongoDB databases exposed in ransomware hack

Security researcher and co-founder of GDI foundation, Victor Gevers, has determined that over 200 MongoDB databases have been erased and held for ransom by an unknown hacker under the alias harak1r1.

Gevers started notifying victims on Twitter.

“Criminals often target open databases to deploy their activities like data theft/ransom. But we also have seen cases were open servers like these are used for hosting malware (like ransomware), botnets and for hiding files in the GridFS,” Gevers writes in the notification letter.

Following the announcement, the number has risen to 2,000, according to Shodan founder John Matherly.

MongoDB is an open-source NoSQL database used by companies including Linkedin, Cisco, MTV and The New York Times.

The hacker demands a ransom of 0.2 Bitcoin, approximately $211, but the data is not returned unless victims provide proof of ownership. The attacks have been taking place for the past week.

“SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE!” read an attacker”s note that Gevers discovered when accessing one of the open servers.

In 2015 Matherly repeatedly warned MongoDB users that the installations were publicly exposed and running on cloud services without authentication. This and other configuration errors caused numerous database breaches, including that of Hello Kitty and Mexican voter records.

16 organizations have already paid to regain database access.