Thousands of MongoDB databases deleted in cyber-extortion attacks

Cyber-extortionists in the past few weeks have turned their attention to MongoDB databases and are wreaking havoc for those who rely on them. In particular, these cyber-extortionists are deleting MongoDB databases by the thousands if demands are not met. As reported by Bleeping Computer, the attacks in question were first noticed by researcher Sanyam Jain and follow a particular modus operandi:

The researcher first noticed the attacks on April 24, when he initially discovered a wiped MongoDB database which, instead of the huge quantities of leaked data he was used to finding, only contained the following note: Restore ? Contact :

As he later discovered, after dropping the databases, the cyber-extortionists leave behind ransom notes asking their victims to get in touch if they want to restore their data by sending an email to one of the following two email addresses: or

While the method used by the attackers to find and wipe databases in such large numbers is not yet known, the entire process is most probably completely automated.

After connecting to one of the publicly accessible MongoDB databases left unprotected on the Internet, the script or program used to do it is also configured to indiscriminately delete every unsecured MongoDB it can find, and then to add the ransom tables.

As Jain noted, the motive behind these attacks are likely monetary in nature (I say “likely” because the attackers are not responding to any attempted communication from journalists). Though there is no set ransom amount, the email contact is utilized to negotiate terms of returning the database to the rightful owner (for a right price of course). Something that the author of the Bleeping Computer article, Sergiu Gatlan, notes that these attacks are only possible due to poor security practices. MongoDb actually gives easy-to-follow steps for securing a database that all administrators can utilize.

Cyber-extortion takes various forms, and it succeeds because the criminals are able to capitalize on fear. Take away their bargaining chips and you effectively cut them off at the knees.

Featured image: Wikimedia / Ularugeanina

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter
Tags mongodb

Recent Posts

Docker, Microsoft unveil easier way to deploy Azure containers

Docker and Microsoft have rolled out a new and easier way for developers to deploy…

9 hours ago

Improvements on the verify domain error in Office 365

The verify domain error when registering the same domain in Office 365 to a different…

13 hours ago

Using VMM to run scripts to manage remote Hyper-V hosts

When it comes to the bulk management of Hyper-V hosts (or of any Windows server,…

16 hours ago

Shiny Hunters hacking group breach Home Chef database

The Shiny Hunters hacking group has struck again. This time they hit meal-prep delivery company…

1 day ago

Review: Specops uReset Active Directory self-service password reset

Specops uReset is an Active Directory password reset solution to handle the problem of forgotten…

2 days ago

Reports say eBay port scanning incoming visitors. Why?

According to several reports, eBay may be port scanning visitors to its site. While this…

5 days ago