The issue of misconfigured MongoDB installations, allowing anyone on the internet to access sensitive data, is not new. Researchers have been finding such open databases for years, and the latest estimate puts their number at more than 99,000.
The attackers left a message behind for the database administrators asking for 0.2 bitcoins (around $180) to return the data.
In addition, other attackers have joined the scheme, researchers counting at least five groups with different ransom messages so far. Together, the groups deleted 10,500 databases, and in some cases, they’ve replaced each other’s ransom messages.
The bad news is that most of them don’t even bother copying the data before deleting it, so even if the victims decide to pay, there’s a high chance they won’t get their information back.
Gevers said he has helped some victims and there was no evidence in the logs that the data had been exfiltrated. He advises affected database owners not to pay and to get help from security professionals.
MongoDB administrators are advised to follow the steps on the security checklist from the MongoDB documentation in order to lock down their deployments and prevent unauthorized access.