MongoDB databases have suffered a surge of ransomware attacks, with over 27,000 servers currently compromised as hackers steal and delete data from unpatched or poorly-configured systems.
Victor Gevers, from Netherlands-based GDI Foundation, and Niall Merrigan, a Norway-based developer, have been tracking a surge in attacks on MongoDB installations in which a handful of groups are wiping vulnerable databases and replacing them with an empty database with names such as a ‘WARNING’, ‘PWNED’, and ‘PLEASE_READ’.
The attackers claim to hold a copy that can be purchased for between 0.2BTC and 1BTC, but there’s no guarantee the data is actually available if a payment is made.
At the current count, more than a quarter of the 99,000 MongoDB instances open to the internet have been compromised.It has been said that ransom criminals target mainly those accounts which do not have password protected admin accounts.
Hackers use ransomware to attack computers specifically of organisations and then encrypt delicate and important data, before asking for a ransom to give the data back. Small businesses to big enterprises, no one without proper resources is safe for such threats. Ransomware is used for encryption of valuable files and it is impossible for companies to get them back, and has to give in to the ransom demands.
MongoDB’s director of product security, Andreas Nilsson, has published a list of actions admins can use to prevent the attacks. As with most ransomware attacks, Nilsson stressed the importance of backing up data.
“If you take regular backups of the compromised database, you can restore the most recent backup… If you don’t have a backup or are otherwise unable to restore the data, unfortunately your data may be permanently lost”, he added.Share This: