DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Don’t pay the MongoDB ransom until you check to see if it’s a scam

Posted on January 7, 2017 by Dissent

For the past week, a number of us have been watching the explosive growth of attacks on misconfigured MongoDB installations. Victor Gevers of GDI Foundation and Niall Merrigan, a Norwegian developer, have been providing yeoman service investigating the problem, making notifications, and keeping us all apprised of their findings through their Twitter accounts.

It all started scarily – but simply – enough with attackers removing files from MongoDB installations that had been left open on Port 27017.  The attackers removed files and created a replacement database with a catchy name like “CONTACTME” or “PLEASE_READ.” The ransom notes said that the attacker had preserved all the data, and the victim could recover it if they sent BTC to the specified BTC wallet in the note. Once the payment was made, the victim was to email the attacker with their IP address, at which time, their data would presumably be returned to them. If prompt payment wasn’t made, well, the data would be permanently destroyed.

It seemed like a straightforward ransom model when DataBreaches.net reported on how Emory Healthcare had apparently become one of its victims.

But things rapidly devolved.

Within days of the first attacks, one attacker (HaraK1r1)’s email account was closed. Anyone making a payment and then attempting to email HaraK1r1 to get their data back would not have been able to do so.

Then, and as other attackers joined the party, they seem to have stomped over each other’s work:

In Dec 2016 @GDI_FDN warned a 60 companies for an open MongoDB
47 were hit by harak1r1 on 1/2. On 1/5 0wn3d overwrites note on 33 of them.

— Victor Gevers (@0xDUDE) January 5, 2017

One attacker even acknowledged that this might have happened, in which case, they wrote, a partial refund would be offered.

But of greater concern, and as Victor Gevers has been trying to warn victims since January 5, most of these hackers are lying (what a shock, right?).

Gevers and Niall Merrigan are finding evidence that although the hackers claim they have saved your data and will return it, for the most part, that is not what is happening. What is happening, the researchers claim, is that the data are just being wiped. There appears to be one attacker who may be saving some of the data, but overall, this now appears to be a tremendous scam where attackers claim to have stolen your data, and if you’ll just pay them, you’ll get it back, when in reality, they’ve just deleted your data. Why should they pay for all that storage space, right, if they can get you to send them about $200 in a panic?

As of the time of this posting, there have been about 12 accounts/attackers, each with its own email address and bitcoin wallet(s), and there have been more than 11,253 MongoDB installations that have been wiped in the past few weeks.

For a listing of known attacker accounts with their corresponding email addresses, bitcoin wallets, and additional details, see this helpful document created and maintained by Gevers and Merrigan.

DataBreaches.net will continue to cover this situation.

But NOW will you take a minute to check whether your MongoDB installation is secure? If it’s not, you may wind up locking the barn door after the horse gets stolen or worse, killed. MongoDB has provided these instructions for how to avoid becoming a victim.

Category: HackOf Note

Post navigation

← Waterly app potentially exposed up to 1 million Israelis’ details- researcher
Los Angeles Valley College Hit By Cyber Attack, Pays Ransom →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
  • Call for Public Input: Essential Cybersecurity Protections for K-12 Schools (2025-26 SY)
  • Cyberattack puts healthcare on hold for hundreds in St. Louis metro
  • Europol: DDoS-for-hire empire brought down: Poland arrests 4 administrators, US seizes 9 domains

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants
  • DOGE aims to pool federal data, putting personal information at risk
  • Privacy concerns swirl around HHS plan to build Medicare, Medicaid database on autism

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.