MongoDB Ransomware leaves 26,000 New Victims


Three new groups that hijacked over 26,000 servers are behind the ransomware attacks on MongoDB database. One group in particular hijacked 22000 servers itself.

This attack is said to be the continuation of the MongoDB Apocalypse, which started in December 2016, and was detected by security researchers Dylan Katz and Victor Gevers.

Most of the companies affected left their database open for test system or for external connection. Multiple hackers scanned the internet looking for MongoDB databases, and when they hit upon an exposed one, they would enter and delete the content and replace it with a ransom virus. The victimized companies would realize that their database had gone and paying the ransom in hopes of getting it back.

Security researchers around the world have been tracking this attack, and have found that nearly 45,000 databases have been compromised so far.

The interesting phenomenon is that from MongoDB the ransom attacks would spread to Hadoop, Cassandra, CouchDB, MySQL, and ElasticSearch. The virus was designed to spread from one to other server technologies.

Over the spring and summer, hacking groups involved tapered off these attacks, and the number of ransomed servers went down.

During the last summer, the hackers involved in this just disappeared, and the number of compromised servers went down. Now a group of three attackers has emerged. They were identified based on the email they use to extort money.

More Damage with fewer attackers

Gevers said “The amount of (n) attackers went down compared with the beginning of the year, but the destructive reach (in regards to the victims) per attack went up in numbers,” He added further “So it looks like there are fewer attackers but with a larger impact.”

It took just one month for the attackers to rack up 45,000 victims with MongoDB attacks. One group managed to score half of that figure only last week.

Gevers says that he’s seen cases where the group hijacks a user’s DB, the user restores a database copy of backups, and the group ransoms the server again on the same day because the victim failed to properly secure his DB.

“Now we need to study exactly what is going on here because we are missing pieces of the puzzle to keep a complete picture,Gevers said.Is this a lack of knowledge? Did they mess up the [MongoDB] security settings without knowing it? Are they running on an older version without safe defaults and other vulnerabilities?”

Busy year for Hackers

According to security analyst, it has been a busy year for cyber criminals. Gevers said he’ll also have to bring in some outside experts to help him analyze this massive wave of MongoDB hijacks. This is not because Gevers and team are not capable, but they are already into other cases of vulnerable attacks. They are particularly harping on those vulnerable devices which are left unattended or waiting for a connection.

Kevin Jones185 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like and others. He holds prestigious certifications like OSWP, OSCP, ITIL. His goals in life are simple - to finish her maiden business venture on Cybersecurity, and then to keep writing books for as long as possibly can and never miss a flight that makes the news.


Leave a Comment


Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password