Over 10,000 MongoDB Databases Wiped Out by Ransomware Groups
Ransomware groups have deployed a new tactic that entails deleting publicly accessible MongoDB databases and subsequently asking the victim for money to restore the information, according to Computerworld. At least five groups of attackers are at large with the intention to wipe out as many databases as possible. Unfortunately, these ransomware groups are having a productive start, with more than 10,000 databases deleted thus far.
Publicly Exposed MongoDB Databases Increase Risk
User error is one possible reason for the MongoDB ransomware attacks. According to an article featured in The Next Web, every compromised MongoDB server so far featured an administrator account that lacked password protection.
When a MongoDB installation is misconfigured, it allows anyone on the internet to access its stored data, which puts sensitive information at risk.
While this danger is nothing to dance over, these types of occurrences are nothing new. According to Computerworld, researchers have been discovering such open databases (more than 99,000) for quite some time.
In fact, the news source reports that GDI Foundation security researcher Victor Gevers has found nearly 200 instances of publicly exposed MongoDB databases that had been either deleted or ransomed by an individual or group of attackers going by the name Harak1r1.
The attacker leaves a ransom note for the victims asking for 0.2 bitcoins (approximately $180) in order to get the data back. However, even when ransom is paid, the attacker often does not return the information. This is because the threat actor is unlikely to bother copying information before deleting it, Computerworld notes.
Moreover, Gevers mentioned that there was no evidence of data exfiltration and advises affected database owners not to pay the ransom; instead, they should seek assistance from security professionals.
Recommended Security Checklist
In response to this incident, MongoDB provided documentation that includes a security checklist to help database administrators protect their MongoDB installations. Security measures that enable control and enforce authentication can prevent unauthorized access. By implementing these steps, clients and servers will require valid credentials before connecting to the system.
To control access further, MongoDB recommends administrators configure role-based access control in order to create roles that define the specific access that a set of users requires. The security checklist also includes other steps that administrators should follow, such as encrypting communications and protecting MongoDB data using file-system permissions to further mitigate ransomware threats and attacks.