Hacking groups are breaking into thousands of systems running MongoDB database software before copying then deleting the contents. The groups are demanding between $180 to $900 worth of Bitcoins to return the data, but paying the ransom doesn’t guarantee that the databases will be restored.
It’s now estimated that a massive 27,000 internet-connected MongoDB systems have been compromised. The hackers are targeting software without a password on the administrator account, which is thought to cover around 99,000 systems.
The attacks started on December 20 when a hacker copied information from one of these open databases, deleted the original content, and left a ransom note in its place. The first hacks requested 0.2 Bitcoins (around $181) but the price increased in future instances. One group reportedly demanded one bitcoin, equal to around $905.
Worst of all, security researchers Niall Merrigan and Victor Gevers say that some of the groups aren’t even making copies of the deleted data. The hackers are simply erasing everything and leaving ransom notes, which means the companies won’t get their databases back even if they do hand over the Bitcoins.
Furthermore, it seems that so many groups (possibly eight) are compromising MongoDB systems, the same databases are getting re-hacked and ransom notes are being replaced with versions from another team. All this means that companies have no idea which group (if any) has the data and to whom they should pay the Bitcoins.
"Right now it's bedlem [sic]," Merrigan told Bleeping Computer yesterday, "attackers are deleting each others' ransoms as quick as they pop up."
MongoDB developers have addressed the attacks by updating the software’s security guide, which you can read here.