No honor among thieves: Crooks seeking ransom for MongoDB data someone else stole

The data’s not coming back anyway, experts say.

Gerd Altmann (CC0)

It took less than a week for criminals to drain virtually all publicly exposed MongoDB servers of their data, and now a second tier of opportunistic thieves is trying to walk off with the ransom.

When attackers initially deleted the data, sometimes terabytes at a time, they left ransom notes demanding payments in bitcoin.


In the meantime, other thieves have come along to these still-insecure servers, deleted the initial ransom notes and left their own. And sometimes after that, another thief came along and deleted that note and left yet another.

“There’s a fluctuation and shift in which ransom note is being displayed on the server at any given minute,” says Zach Wikholm, a research developer at Flashpoint.

Not that it matters, he says. The likelihood that any victim of these thefts will ever get their data back is miniscule. It’s relatively easy to find the vulnerable servers, pull down the data and delete it, but to do that and to store it would require time and enormous amounts of storage, he says.

It’s highly unlikely the thieves made that kind of investment. Instead they deleted the data and demanded payment to restore it. “There’s no hope for those who were compromised,” he says.

It didn’t’ take a large group to commit these crimes. “Pulling this off is within the ability of one person,” says Allison Nixon, Flashpoint’s director of security research. “Now there are multiple bad actors for sure. Opportunists is a good word.”

Niall Merrigan, a managing consultant at Capgemini, has been following this closely and chronicling the thefts on his Twitter account. He says more than 32,000 MongoDB servers have been hit.

This threat to public-facing MongoDB databases has been publicized for about a year, but only within the past week has anyone tried to cash in on the exposure in a big way, Nixon says.

Security researchers discovered the fact that these databases were exposed and unprotected and issued public warnings, but tens of thousands of admins in 90 countries paid no heed. “People saw it as a thing but not a particularly threatening thing,” Nixon says.

[ RELATED: Ransomworm: the next level of cybersecurity nastiness ]

But then someone recognized the profit potential in the ransom scheme and everything changed. “It turns from an academic argument to a worldwide incident in literally days,” she says.

This situation is different from classic ransomware attacks in which attackers encrypt data, then demand payment for turning over the keys to decrypt. In this case, attackers removed the data from the servers altogether, no encryption involved, and it’s unlikely the data was ever saved anywhere, Wikholm says. It simply disappeared too fast for it to have been downloaded, and returning it would require an upload that would take days or in some cases weeks.

MongoDB was never designed to be publicly facing, so it has no built-in authentication. It can be added, Wikholm says, but clearly an enormous number of people chose not to. Judging from the volumes of data these servers contained, many were likely used for business purposes and so likely had admins who missed the chance to protect them and failed to heed warnings.

The lesson to learn from this incident is to better evaluate security warnings. Consider them from the criminal point of view and look for a way someone might make money from exploiting them, Nixon says. When that potential is there, act quickly because someone is surely going to do so soon.


Copyright © 2017 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022