MongoDB Databases Hit by Wave of Data Extortion

By on

During the past couple of weeks an attacker with the alias Harak1r1 has gone after MongoDB databases connected to the cloud. These old database instances were not protected by an administrator password, and were non-firewalled. Therefore, the attacker logged onto these databases, downloaded the content, then removed the content, and left a note demanding 0.2 Bitcoin to restore the data. Although many observers have called this as a ransomware attack, it is more accurately extortion because none of the data is encrypted, which is the case with crypto-ransomware.

Screen Shot 2017-01-20 at 11.31.48 AM

All of these actions were automated instead of manual hacks into the databases. The following screenshot shows a code snippet of the scripts being used by the attackers:

Screen Shot 2017-01-20 at 11.32.32 AM

A report generated on Shodan shows an overview of MongoDB databases connected to the Internet:

Screen Shot 2017-01-20 at 11.34.00 AM

As usual, when an attack like this is revealed, many copycats attempt similar attacks. 0wn3d, byterot, and P1l4tos, as well as the professional ransomware group Kraken, soon followed. P1l4tos and Kraken0 have not limited themselves to MongoDB instances but have targeted instances of Elasticsearch as well. Other reports name Hadoop and other databases as targets.

The Kraken group is actually offering its MongoDB and Elasticsearch code, including data, as a kit for US$500.

Screen Shot 2017-01-20 at 11.34.40 AM

How profitable are these attacks for the actors? According to researchers Niall Merrigan and Victor Gerves, the total amount of Bitcoins being paid by the MongoDB victims is around BTC 23.3, roughly $20,000. If we look, for example, at the initial attacker, Harak1r1, we can create a small overview:

Screen Shot 2017-01-20 at 11.36.12 AM

Analyzing the Bitcoin wallets involved, to date the actor has made a total of BTC 4.2, which translates to $3,700.

So why exactly were these MongoDB not protected and such easy targets? It seems that many of these instances stemmed from Shadow IT—developers or departments took matters into their own hands and built out systems without IT knowledge or approval and subsequently did not follow proper security policies.

The hackers found these unapproved and unsecured cloud services systems with their data was wide open, and cybercriminals we’re able to jump on the opportunity.


In these particular cases, a simple password would have stopped this attack. Of course, there is much more to do to protect an online database. Think in the line of firewall, SQL-injection proof, updates, auditing and backup.

But first, the IT department needs to find these Shadow IT instances and bring it to light, to ensure these proper security measures are in place. This is no easy feat, but it can be accomplished.

Criminals will always seek new ventures to make money. This is an example of the latest wave. What if an attack is targeted at your company’s database (online or onsite) and it is encrypted by attackers: are you prepared?

Categories: Cloud Security
Tags: , ,

Leave a Comment

Similar articles

Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long ...
Read Blog
Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need ...
Read Blog
The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis. McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies. Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background ...
Read Blog