DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Need help because your MongoDB installation was hit by ransomware?

Posted on January 12, 2017 by Dissent

For the past week, this site has been providing updates on previous coverage about a wave of ransomware attacks hitting misconfigured MongoDB installations. New instances continue to be detected by researchers on a daily basis. The attacks have shown no geographic or sector boundaries – any MongoDB installation indexed by Shodan.io that had or has Port 27017 open has been either wiped out by now or remains at risk. And by now, the number of wiped databases is more than 32,000.

That’s a lot of destroyed data, particularly if they were production databases and the entities had no recent backups.

If you are a victim who needs assistance or you aren’t sure whether to pay the ransom demand, or what to do, here are a few resources for you:

Read this article from MongoDB on how to secure your installation.

Contact Victor Gevers of GDI via Twitter (@0xDUDE) or Niall Merrigan of Capgemini via Twitter (@nmerrigan). They have been working quietly and discreetly to assist victims and my understanding is that they will not name you publicly or disclose your contacts with them.

Kromtech Security, associated with MacKeeper, is also offering some interesting assistance. If you don’t know what was actually in your now-wiped database, Kromtech may have a snapshot of your database that can help you determine what kind of records you had in there. From their announcement this morning:

MacKeeper Security Research Center is offering free support to companies hacked in a recent MongoDB takeover by providing copies of database snapshots / 15-records samples to those who didn’t have their own backups.

Our security reports contain 15-records txt-samples taken from (mostly large, more than 1GB, and of course unprotected, hosted in the US, Canada and Great Britain, with some small extent of other locations) databases, but sometimes even that can be helpful in assessing the sensitivity / origin of data and help companies and organizations make right decision.

We would only require that they contact us at [email protected] from a verified company or branded email address and provide an IP address on which database was hosted so we can identify both the owner and database.

DataBreaches.net has collaborated with Kromtech/MacKeeper numerous times over the past year. They have been quietly helping many firms by reaching out to them to let them know when they have found unsecured MongoDB installations, and more recently, leaky Rsync devices. Most of their “finds” are not reported on MacKeeper Security Research Center, and some of the situations they contact me about for notification assistance are never mentioned publicly on their site or this one.

If you’re struggling to recover from one of the MongoDB attacks, consider availing yourself of the free resources above.

And then, of course, make sure that you properly lock down your databases going forward. This site is already aware of one entity – unnamed – who as part of their recovery went ahead and repeated the misconfiguration that left their data at risk in the first place.

If you know of other free resources, please let me know via the Comments section below.

 

No related posts.

Category: Breach IncidentsOf Note

Post navigation

← Affiliates able to access databases of ALL Hello Markets brands and CRM data in massive security breach
Summit Reinsurance Services breach affected 19,000 →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.