Stop To Pay Ransomware Said Security Researcher. Hackers were wiping the databases of unprotected MongoDB installs and encrypt with ransom.
Recently some Cyber Attackers are hijacking databases of MongoDB, there have been reports of malicious attacks on unsecured instances of MongoDB running openly on the internet. The attacker deleted the database and demanded a ransom to be paid for restoring it.
"YOUR DBS ARE ENCRYPTED. SEND 0.5 BTC (BITCOIN) ~= 550USD, TO THIS BTC ADDRESS," says the ransom message of the first copycat, who calls himself 0wn3d, according to Victor Gevers, the co-founder of the GDI Foundation, a non-profit organization that has the goal of making the internet safer, and one of the researchers who’s tracking these attacks.
Security researchers are tracking these cyber attacks and shared MongoDB spreadsheet of ransacking actors database showing Group name, Sighted on, Email-ID, Bitcoin Address, Ransom Size and Name of replaced DB.
One of the security researcher Niall Merrigan said,
Security researchers have found several MongoDBs containing sensitive information left exposed for all to see, such as the voter records of 191 million American voters, or credit card data of thousands of customers of an hotel chain.#MongoDb ransacking more actors are joining in.. 5 signatures in play and last estimate 10.5K servers compromised— Niall Merrigan (@nmerrigan) January 6, 2017
Victor Gever A security researcher tweeted,
Please STOP paying the ransom. There is no evidence that they actual copied your database. Get a local expert to have your log files checked https://t.co/YxRD5uNMVY— Victor Gevers (@0xDUDE) January 5, 2017
Luckily no one paid yet for the DELETED data. NO one is ENCRYPTING it so PLEASE DON'T PAY the ransom. Ping me 4 help to harden your server. pic.twitter.com/TPTm02qN8Q— Victor Gevers (@0xDUDE) January 5, 2017
MongoDB expains in blog, How can you tell if an attacker has compromised your data?
- If access control is configured correctly for the database, attackers should not have been able to gain access to your data. Review our Security Checklist to help catch potential weaknesses.
- Verify your databases and collections. In the recent cases we’ve seen, the attacker has dropped databases and/or collections and replaced them with a new one with a ransom demand.
- If access control is enabled, audit the system logs for unauthorized access attempts or suspicious activity.