Automated Ransom Attacks Target Exposed MongoDB Instances
A threat actor is conducting automated data extortion attacks against misconfigured MongoDB databases, compromising around 1,400 exposed servers and demanding ransoms of approximately $500 in Bitcoin to restore deleted data. These attacks, reminiscent of a surge in similar incidents prior to 2021, exploit poorly secured instances with unrestricted access.
Researchers at Flare identified 208,500 publicly exposed MongoDB servers, with 3,100 accessible without authentication. Nearly 46% of these unsecured databases had already been wiped and replaced with ransom notes, most demanding 0.005 BTC (≈$500–600) within 48 hours. Analysis revealed that 98% of ransom notes used the same Bitcoin wallet address, suggesting a single attacker behind the campaign. While the threat actor claims to restore data upon payment, there is no guarantee they retain the information or will provide decryption keys.
Beyond authentication flaws, nearly 95,000 exposed instances were found running outdated MongoDB versions vulnerable to known exploits, though most flaws were limited to denial-of-service rather than remote code execution. Despite the high number of exposed servers, some may have already been targeted and paid ransoms, explaining why they remained uncompromised during Flare’s investigation.
The findings underscore the risks of improperly secured MongoDB deployments, particularly those left publicly accessible without strong authentication or network restrictions.
MongoDB cybersecurity rating report: https://www.rankiteo.com/company/mongodbinc
UNKNOWN LABS® cybersecurity rating report: https://www.rankiteo.com/company/unknownlabs
"id": "MONUNK1769964108",
"linkid": "mongodbinc, unknownlabs",
"type": "Ransomware",
"date": "1/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations with exposed MongoDB '
'instances'}],
'attack_vector': 'Exposed MongoDB instances with unrestricted access',
'data_breach': {'data_encryption': 'Data deleted, not encrypted',
'data_exfiltration': 'No evidence of data exfiltration (only '
'deletion and ransom notes)',
'type_of_data_compromised': 'Database contents (unspecified)'},
'description': 'A threat actor is conducting automated data extortion attacks '
'against misconfigured MongoDB databases, compromising around '
'1,400 exposed servers and demanding ransoms of approximately '
'$500 in Bitcoin to restore deleted data. These attacks '
'exploit poorly secured instances with unrestricted access.',
'impact': {'data_compromised': 'Data deleted and replaced with ransom notes',
'operational_impact': 'Data loss and potential business disruption',
'systems_affected': '1,400 exposed MongoDB servers'},
'initial_access_broker': {'entry_point': 'Exposed MongoDB instances'},
'lessons_learned': 'Risks of improperly secured MongoDB deployments, '
'particularly those left publicly accessible without '
'strong authentication or network restrictions.',
'motivation': 'Financial gain (data extortion)',
'post_incident_analysis': {'corrective_actions': 'Implement authentication, '
'restrict public access, '
'update MongoDB versions, '
'and monitor for '
'vulnerabilities.',
'root_causes': 'Misconfigured MongoDB databases '
'(lack of authentication, outdated '
'versions, public exposure)'},
'ransomware': {'data_encryption': 'No (data was deleted, not encrypted)',
'data_exfiltration': 'No evidence of data exfiltration',
'ransom_demanded': '0.005 BTC (~$500–600)'},
'recommendations': 'Secure MongoDB instances with authentication, restrict '
'public access, and update to the latest versions to '
'mitigate known vulnerabilities.',
'references': [{'source': 'Flare'}],
'threat_actor': 'Single attacker (based on identical Bitcoin wallet address '
'in ransom notes)',
'title': 'Automated Ransom Attacks Target Exposed MongoDB Instances',
'type': 'Ransomware',
'vulnerability_exploited': 'Misconfigured MongoDB databases (lack of '
'authentication, outdated versions)'}