MongoDB ransomware attacks

Ransom attacks on MongoDB databases reemerged last week when three new groups of hackers hijacked around 26,000 servers containing MongoDB databases and demanded victims to pay 0.2 BTC (currently around $650) to have the databases restored.

The attacks are a continuation of the so-called MongoDB Apocalypse that started in late December 2016 and continued through the first months of 2017. The attacks were discovered by security researchers Victor Gevers and Niall Merrigan.

Victor Gevers, who is the chairman of the GDI Foundation, a non-profit organization working to secure devices exposed online, has been busy all year securing all sorts of devices, from AWS S3 buckets, and computers infected with EternalBlue to cryptocurrency miners.

During the attacks, multiple hacking crews scanned the Internet for MongoDB databases left open for external connections, wiped their content, and replaced it with a ransom demand:

“We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 BTC and text me to email, just send your IP-address and payment info. Messages without payment info will be ignored”.

Many of these exposed databases were test systems, but some contained production data and a few companies ended up paying the ransom only to later find out they’ve been scammed and the attacker never had their data.

From MongoDB, the ransom attacks also spread to other server technologies, such as ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers.

The current attacks are being tracked by Gevers and fellow researcher Dylan Katz. According to the MongoDB ransacking Google Docs spreadsheet that the pair are updating, one group using the address ‘’ has ransacked over 45.000 databases.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.