1. Computing

Cybercriminals hold more than 10,000 website databases for ransom

Jonathan Keane
By

mongodb database ransom rusty padlock
Garretttaggs /Wikimedia Commons
Hacker groups have targeted the exposed databases of more than 10,000 websites, with the attackers demanding ransoms to restore them.

On Friday, security researchers revealed that thousands of publicly exposed MongoDB databases had been copied and deleted by a lead group using the name Harak1r1. The misconfigured databases meant that anyone could access them.

Victor Gevers of the GDI Foundation first found up to 200 databases affected but since then more researchers have discovered vulnerable databases totaling more than 10,000. The founder of Shodan pointed out that he was able to find nearly 2,000 in his own searches.

The culprits are demanding up to 0.2 bitcoin ($180) per database for their restoration, according to messages left for some of the administrators. Since Harak1r1 began its campaign, four other groups have started imitating and hunting down exposed sites to hold hostage. It’s not known if the groups are coordinated or connected in any way.

These attacks aren’t your traditional cases of ransomware as no data has actually been encrypted. Rather, the attackers have replaced exposed data with a note demanding money for its return. Nevertheless it creates a massive headache for the data’s owners.

Gevers believes that the affected databases can be attributed to older, legacy MongoDB databases that were deployed on cloud services and not adequately protected, with the configuration left open.

“The most open and vulnerable MongoDBs can be found on the AWS platform because this is the favorite place for organizations who want to work in a devops way,” Gevers told Bleeping Computer. “About 78 percent of all these hosts were running known vulnerable versions.”

Gevers advises against paying the ransom to the criminals but figures from Blockchain.info now show 22 transactions made to Harak1r1’s bitcoin wallet, most likely from administrators desperate to get their databases back in working order. Paying off the ransom is unfortunately not a guarantee that the data will be properly restored.

MongoDB has a security checklist available for any users that encounter attacks or breaches.

Editors' Recommendations

Using Google Keep on a Samsung S21? Don’t install One UI 4

The rear panel of the Samsung Galaxy S21 showing its triple cameras.

Google’s Digital Wellbeing widget hits Android devices soon

Google Pixel 6 Pro clock widgets. Credits: Google official.

DuckDuckGo’s new web browser won’t rely on any Chrome technology

Homepage of DuckDuckGo.

Windows 11 vs. Windows 10: Should you upgrade?

Windows 11 Woman on Laptop Lifestyle

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

Molekule adds an Air Score to its Air Pro purifier

molekule enables air score pro

This speedy DDR5 kit is now the world’s fastest RAM

A pair of G.Skill Trident Z5 DDR5 RAM modules.

VPN Test: How to see if your VPN is working

The best VPN for Mac is NordVPN.

Three new Star Wars games are in the works from Respawn

Cal fighting the Ninth Sister in Jedi Fallen Order.

Google’s Pixel 6a could be coming far sooner than expected

The first renders of the Google Pixel 6a.

Should LG be worried about Samsung’s QD-OLED tech?

Samsung QD-OLED display at CES 2022.

A cheaper 1080p Chromecast with Google TV just makes sense

Chromecast with Google TV remote.

Nvidia’s $40 billion ARM deal is all but over

A chip designed by semiconductor company ARM.