MongoDB Ransomware leaves 26,000 New Victims

Three new groups that hijacked over 26,000 servers are behind the ransomware attacks on MongoDB database. One group in particular hijacked 22000 servers itself.

This attack is said to be the continuation of the MongoDB Apocalypse, which started in December 2016, and was detected by security researchers Dylan Katz and Victor Gevers.

Most of the companies affected left their database open for test system or for external connection. Multiple hackers scanned the internet looking for MongoDB databases, and when they hit upon an exposed one, they would enter and delete the content and replace it with a ransom virus. The victimized companies would realize that their database had gone and paying the ransom in hopes of getting it back.

Security researchers around the world have been tracking this attack, and have found that nearly 45,000 databases have been compromised so far.

The interesting phenomenon is that from MongoDB the ransom attacks would spread to Hadoop, Cassandra, CouchDB, MySQL, and ElasticSearch. The virus was designed to spread from one to other server technologies.

Over the spring and summer, hacking groups involved tapered off these attacks, and the number of ransomed servers went down.

During the last summer, the hackers involved in this just disappeared, and the number of compromised servers went down. Now a group of three attackers has emerged. They were identified based on the email they use to extort money.

More Damage with fewer attackers

Gevers said “The amount of (n) attackers went down compared with the beginning of the year, but the destructive reach (in regards to the victims) per attack went up in numbers,” He added further “So it looks like there are fewer attackers but with a larger impact.”

It took just one month for the attackers to rack up 45,000 victims with MongoDB attacks. One group managed to score half of that figure only last week.

Gevers says that he’s seen cases where the group hijacks a user’s DB, the user restores a database copy of backups, and the group ransoms the server again on the same day because the victim failed to properly secure his DB.

“Now we need to study exactly what is going on here because we are missing pieces of the puzzle to keep a complete picture,” Gevers said. “Is this a lack of knowledge? Did they mess up the [MongoDB] security settings without knowing it? Are they running on an older version without safe defaults and other vulnerabilities?”

Busy year for Hackers

According to security analyst, it has been a busy year for cyber criminals. Gevers said he’ll also have to bring in some outside experts to help him analyze this massive wave of MongoDB hijacks. This is not because Gevers and team are not capable, but they are already into other cases of vulnerable attacks. They are particularly harping on those vulnerable devices which are left unattended or waiting for a connection.