• Home
  • cyber
  • MongoDB: Hackers Wipe MongoDB Databases and Leave Ransom Notes in Active Attacks
cyber Ransomware

MongoDB: Hackers Wipe MongoDB Databases and Leave Ransom Notes in Active Attacks

Feb 2, 2026 2 min read
MongoDB: Hackers Wipe MongoDB Databases and Leave Ransom Notes in Active Attacks

MongoDB Ransomware Campaign Resurfaces, Targeting Thousands of Exposed Databases

A resurgent ransomware campaign is exploiting misconfigured MongoDB databases worldwide, with attackers automating attacks to wipe data and demand Bitcoin payments. The threat, which first emerged between 2017 and 2021, has never fully disappeared security researchers confirmed its persistence in late 2025 after deploying honeypot servers that were compromised within days.

The attack targets internet-exposed MongoDB instances lacking authentication, typically listening on port 27017. Threat actors use automated scripts to scan for vulnerable databases, copy their contents, wipe all data, and leave a ransom note demanding roughly $500 USD in Bitcoin within 48 hours. Analysis of 200,000 publicly discoverable MongoDB servers revealed that 3,100 were fully exposed without authentication, with 1,416 already compromised. Nearly all ransom notes referenced one of five Bitcoin wallets, with a single address linked to over 98% of attacks, pointing to a dominant threat actor.

Security experts warn against paying ransoms, as victims frequently receive no data recovery attackers often fail to retain stolen data. Despite this, the campaign’s potential revenue could reach $842,000 USD if even a fraction of demands are met. Dark web forums host tutorials promoting the attack as a low-effort income source, while insecure MongoDB configurations in container images (including 763 on Docker Hub and GitHub) and leaked credentials (8,954 validated) further fuel the threat. The persistence of these vulnerabilities highlights ongoing risks from poor deployment practices.

Source: https://cyberpress.org/wipe-mongodb-databases/

MongoDB cybersecurity rating report: https://www.rankiteo.com/company/mongodbinc

"id": "MON1770164849",
"linkid": "mongodbinc",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology, various',
                        'location': 'Worldwide',
                        'type': 'Database service providers'}],
 'attack_vector': 'Exposed MongoDB databases without authentication',
 'data_breach': {'data_encryption': 'No (data wiped, not encrypted)',
                 'data_exfiltration': 'Yes',
                 'type_of_data_compromised': 'Database contents'},
 'date_detected': '2025',
 'description': 'A resurgent ransomware campaign is exploiting misconfigured '
                'MongoDB databases worldwide, with attackers automating '
                'attacks to wipe data and demand Bitcoin payments. The threat, '
                'which first emerged between 2017 and 2021, has never fully '
                'disappeared. Security researchers confirmed its persistence '
                'in late 2025 after deploying honeypot servers that were '
                'compromised within days.',
 'impact': {'data_compromised': 'Data wiped and copied before ransom demand',
            'financial_loss': 'Potential revenue of $842,000 USD if ransoms '
                              'are paid',
            'operational_impact': 'Data loss and disruption of database '
                                  'services',
            'systems_affected': '3,100 fully exposed MongoDB servers without '
                                'authentication, 1,416 already compromised'},
 'initial_access_broker': {'entry_point': 'Exposed MongoDB instances on port '
                                          '27017'},
 'lessons_learned': 'Persistence of vulnerabilities due to poor deployment '
                    'practices, risks of exposed databases without '
                    'authentication, and inefficacy of paying ransoms.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': 'Secure configurations, '
                                                  'enforce authentication, '
                                                  'restrict database exposure, '
                                                  'and monitor for '
                                                  'vulnerabilities',
                            'root_causes': 'Misconfigured MongoDB databases, '
                                           'lack of authentication, exposed '
                                           'ports, insecure container images, '
                                           'and leaked credentials'},
 'ransomware': {'data_encryption': 'No',
                'data_exfiltration': 'Yes',
                'ransom_demanded': '$500 USD in Bitcoin'},
 'recommendations': 'Secure MongoDB configurations, enforce authentication, '
                    'avoid exposing databases to the internet, and refrain '
                    'from paying ransoms.',
 'references': [{'source': 'Security researchers (honeypot servers)'},
                {'source': 'Dark web forums'}],
 'threat_actor': 'Dominant threat actor (single Bitcoin address linked to over '
                 '98% of attacks)',
 'title': 'MongoDB Ransomware Campaign Resurfaces, Targeting Thousands of '
          'Exposed Databases',
 'type': 'Ransomware',
 'vulnerability_exploited': 'Misconfigured MongoDB instances lacking '
                            'authentication, typically listening on port 27017'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.