MongoDB Databases Hit by Wave of Data Extortion

During the past couple of weeks an attacker with the alias Harak1r1 has gone after MongoDB databases connected to the cloud. These old database instances were not protected by an administrator password, and were non-firewalled. Therefore, the attacker logged onto these databases, downloaded the content, then removed the content, and left a note demanding 0.2 Bitcoin to restore the data. Although many observers have called this as a ransomware attack, it is more accurately extortion because none of the data is encrypted, which is the case with crypto-ransomware.

Screen Shot 2017-01-20 at 11.31.48 AM

All of these actions were automated instead of manual hacks into the databases. The following screenshot shows a code snippet of the scripts being used by the attackers:

Screen Shot 2017-01-20 at 11.32.32 AM

A report generated on Shodan shows an overview of MongoDB databases connected to the Internet:

Screen Shot 2017-01-20 at 11.34.00 AM

As usual, when an attack like this is revealed, many copycats attempt similar attacks. 0wn3d, byterot, and P1l4tos, as well as the professional ransomware group Kraken, soon followed. P1l4tos and Kraken0 have not limited themselves to MongoDB instances but have targeted instances of Elasticsearch as well. Other reports name Hadoop and other databases as targets.

The Kraken group is actually offering its MongoDB and Elasticsearch code, including data, as a kit for US$500.

Screen Shot 2017-01-20 at 11.34.40 AM

How profitable are these attacks for the actors? According to researchers Niall Merrigan and Victor Gerves, the total amount of Bitcoins being paid by the MongoDB victims is around BTC 23.3, roughly $20,000. If we look, for example, at the initial attacker, Harak1r1, we can create a small overview:

Screen Shot 2017-01-20 at 11.36.12 AM

Analyzing the Bitcoin wallets involved, to date the actor has made a total of BTC 4.2, which translates to $3,700.

So why exactly were these MongoDB not protected and such easy targets? It seems that many of these instances stemmed from Shadow IT—developers or departments took matters into their own hands and built out systems without IT knowledge or approval and subsequently did not follow proper security policies.

The hackers found these unapproved and unsecured cloud services systems with their data was wide open, and cybercriminals we’re able to jump on the opportunity.


In these particular cases, a simple password would have stopped this attack. Of course, there is much more to do to protect an online database. Think in the line of firewall, SQL-injection proof, updates, auditing and backup.

But first, the IT department needs to find these Shadow IT instances and bring it to light, to ensure these proper security measures are in place. This is no easy feat, but it can be accomplished.

Criminals will always seek new ventures to make money. This is an example of the latest wave. What if an attack is targeted at your company’s database (online or onsite) and it is encrypted by attackers: are you prepared?

Leave a Comment

5 × 5 =