MongoDB Databases Hit by Wave of Data Extortion

By on Jan 20, 2017

During the past couple of weeks an attacker with the alias Harak1r1 has gone after MongoDB databases connected to the cloud. These old database instances were not protected by an administrator password, and were non-firewalled. Therefore, the attacker logged onto these databases, downloaded the content, then removed the content, and left a note demanding 0.2 Bitcoin to restore the data. Although many observers have called this as a ransomware attack, it is more accurately extortion because none of the data is encrypted, which is the case with crypto-ransomware.

Screen Shot 2017-01-20 at 11.31.48 AM

All of these actions were automated instead of manual hacks into the databases. The following screenshot shows a code snippet of the scripts being used by the attackers:

Screen Shot 2017-01-20 at 11.32.32 AM

A report generated on Shodan shows an overview of MongoDB databases connected to the Internet:

Screen Shot 2017-01-20 at 11.34.00 AM

As usual, when an attack like this is revealed, many copycats attempt similar attacks. 0wn3d, byterot, and P1l4tos, as well as the professional ransomware group Kraken, soon followed. P1l4tos and Kraken0 have not limited themselves to MongoDB instances but have targeted instances of Elasticsearch as well. Other reports name Hadoop and other databases as targets.

The Kraken group is actually offering its MongoDB and Elasticsearch code, including data, as a kit for US$500.

Screen Shot 2017-01-20 at 11.34.40 AM

How profitable are these attacks for the actors? According to researchers Niall Merrigan and Victor Gerves, the total amount of Bitcoins being paid by the MongoDB victims is around BTC 23.3, roughly $20,000. If we look, for example, at the initial attacker, Harak1r1, we can create a small overview:

Screen Shot 2017-01-20 at 11.36.12 AM

Analyzing the Bitcoin wallets involved, to date the actor has made a total of BTC 4.2, which translates to $3,700.

So why exactly were these MongoDB not protected and such easy targets? It seems that many of these instances stemmed from Shadow IT—developers or departments took matters into their own hands and built out systems without IT knowledge or approval and subsequently did not follow proper security policies.

The hackers found these unapproved and unsecured cloud services systems with their data was wide open, and cybercriminals we’re able to jump on the opportunity.


In these particular cases, a simple password would have stopped this attack. Of course, there is much more to do to protect an online database. Think in the line of firewall, SQL-injection proof, updates, auditing and backup.

But first, the IT department needs to find these Shadow IT instances and bring it to light, to ensure these proper security measures are in place. This is no easy feat, but it can be accomplished.

Criminals will always seek new ventures to make money. This is an example of the latest wave. What if an attack is targeted at your company’s database (online or onsite) and it is encrypted by attackers: are you prepared?

About the Author

Christiaan Beek

Christiaan Beek is the Lead Scientist & Sr. Principal Engineer of the Enterprise Office of the CTO. He is leading the strategic threat intelligence research with a focus on inventing new technology, research techniques and models. Visionary and serving leadership is at the core of his day-to-day job, getting the best out of people and ...

Read more posts from Christiaan Beek

Subscribe to McAfee Securing Tomorrow Blogs