Thousands of MongoDB databases deleted in cyber-extortion attacks

Cyber-extortionists in the past few weeks have turned their attention to MongoDB databases and are wreaking havoc for those who rely on them. In particular, these cyber-extortionists are deleting MongoDB databases by the thousands if demands are not met. As reported by Bleeping Computer, the attacks in question were first noticed by researcher Sanyam Jain and follow a particular modus operandi:

The researcher first noticed the attacks on April 24, when he initially discovered a wiped MongoDB database which, instead of the huge quantities of leaked data he was used to finding, only contained the following note: Restore ? Contact :

As he later discovered, after dropping the databases, the cyber-extortionists leave behind ransom notes asking their victims to get in touch if they want to restore their data by sending an email to one of the following two email addresses: or

While the method used by the attackers to find and wipe databases in such large numbers is not yet known, the entire process is most probably completely automated.

After connecting to one of the publicly accessible MongoDB databases left unprotected on the Internet, the script or program used to do it is also configured to indiscriminately delete every unsecured MongoDB it can find, and then to add the ransom tables.

As Jain noted, the motive behind these attacks are likely monetary in nature (I say “likely” because the attackers are not responding to any attempted communication from journalists). Though there is no set ransom amount, the email contact is utilized to negotiate terms of returning the database to the rightful owner (for a right price of course). Something that the author of the Bleeping Computer article, Sergiu Gatlan, notes that these attacks are only possible due to poor security practices. MongoDb actually gives easy-to-follow steps for securing a database that all administrators can utilize.

Cyber-extortion takes various forms, and it succeeds because the criminals are able to capitalize on fear. Take away their bargaining chips and you effectively cut them off at the knees.

Featured image: Wikimedia / Ularugeanina

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter
Tags mongodb

Recent Posts

Using PowerShell to assess Active Directory health

When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…

2 days ago

Microsoft Authentication Libraries now generally available

Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.

2 days ago

Checkrain fake iOS jailbreak site a menace to iPhone users

iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…

2 days ago

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

3 days ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

3 days ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

3 days ago