Mongo Lock: The attack that deletes MongoDB databases

Share this…



The attack has already generated revenues for the hackers

Ethical hacking Specialists report that an attack called “Mongo Lock” targets accessible and unprotected MongoDB databases, eliminating their content, and then demanding a ransom to get back the deleted content.

Even though this is a recently deployed campaign, this type of attack is not new and MongoDB databases have been a favorite target for hackers for a while. These attackers operate by scanning online with services like the Shodan search engine to find MongoDB servers without protection. Once connected, attackers can export the databases, delete them, and then create a ransom note explaining how to retrieve the databases.

Bob Diachenko, the ethical hacking expert who discovered the Mongo Lock campaign, claims that attackers get into unprotected databases and eliminate them. In its place, attackers will leave a new database called “Warning” with a collection within it called “ReadMe”.

The ReadMe collection contains a note explaining that the database has been encrypted and that the victims must pay a ransom to retrieve it. In the Mongo Lock campaign the attackers do not leave an online wallet address of Bitcoin, but they instruct the victim to communicate with them by email.

In the ransom note of the attack Mongo Lock attack it can be read:

“Your database was encrypted by ‘Mongo lock’. If you want to retrieve your information, you must pay 0.1 Bitcoin. Do not delete ‘Unique_KEY’ and store it in a safe place, without it we will not be able to help you. Send an email: to decrypt your data”.

Other variants of the attack will show the Bitcoin address to be used for payment before contacting attackers via the included email.

Despite the fact that the ransom note claims that the attackers are exporting the database before eliminating it, experts in ethical hacking agree that it is not possible to affirm whether they are indeed doing so.

The victims are paying for the ransom

Searching for some of the Bitcoin addresses used in MongoDB recent attacks, it has been possible to verify that the victims have been paying for the rescue of their databases.

For example, the Bitcoin address 3FAVraz3ovC1pz4frGRH6XXCuqPSWeh3UH, which has been used frequently in recent days, has received 3 ransom payments for a total of 1.8 units of Bitcoin. This is equivalent to a little over $11k USD, according to the current value of this digital currency.

Scripts don’t always work

According to the ethical hacking specialist, apparently the attackers are using a script that automates the process of accessing a MongoDB database, then possibly exporting it, eliminating the database and then creating the ransom note.

However, Diachenko has realized that this script sometimes fails and the data is still available for the user, even if the user has been sent the ransom note.

Secure a MongoDB database properly

These attacks are possible because MongoDB databases can be accessed remotely and do not have sufficient security measures, the good news is that attacks can be prevented by simply implementing appropriate security measures in a MongoDB database.

The company has published on its website a guide to provide a database with the correct protection; Experts in ethical hacking from the International Institute of Cyber Security mention that the most important steps to protect a MongoDB implementation are the establishment of an authentication step, and the restriction of remote access to the database.