Over 28,000 weak MongoDB databases are currently being held to ransom by hackers
Attacks spiked from 12,000 to 27,000 in a single day, experts have warned.
Tens of thousands of misconfigured online databases have been hijacked and are being held for ransom by hackers, each demanding Bitcoin (Btc) payments for the data to be fully restored.
According to two security researchers, Victor Gevers and Niall Merrigan, the scheme has compromised at least 28,000 databases hosted on an open-source platform called MongoDB. In each instance, the hackers are demanding between 0.2 Btc (£150) and 1 Btc (£752) in ransom.
The popularity of this method of attack appears to be rising quickly. Merrigan, who is a Norway-based security expert, tweeted the ransoms recently spiked from 12,000 to over 27,000 in the space of a single day.
The hackers – with codenames such as Harak1r1, Kraken0, and 0wn3d – are scanning the web using Shodan for databases connected to the internet without adequate password protection. The dozen, or so, hackers are preying on weak files, extracting the information and demanding cryptocurrency in return.
According to the researchers, who are compiling all their findings into a working spreadsheet, databases have been renamed to 'Please Read', 'Contact me' or 'Pwned, secure your stuff silly'. Additionally, like the more traditionalT form of email-based ransomware attack, messages are being inserted into the file about how to pay the fee.
One reads: "Your database has been pwned because it is publically accessible at port 27017 with no authentication (wtf were you thinking?). Your data has been dumped (with data types preserved), and is easily restoreable [sic].
"To get your data back, email the supplied email after sending 0.15BTC to the supplied Bitcoin wallet, do this quickly as after 72 hours your data will be erased (if an email is not sent by then). We will get back to you within 2 days. All of your data will be restored to you upon payment."
One of the most active culprits, based on the researchers' spreadsheet, is Kraken0, a hacker who has reportedly compromised over 16,000 victims at the time of writing. This is followed by Harak1r1, who has claimed 4,174 and then 3lix1r who has accessed 3,304.
The victims do not appear to follow a pattern, instead it seems the hackers are taking a scattergun approach to targeting. While no firms are directly named, website sectors range from online media to financial services to internet gambling. A number appear to have paid the ransom demand.
However, the researchers warn there is no guarantee the hackers will keep their own promises and some of the cybercriminals have reportedly been deleting entire databases without second thought.
"I am getting negative feedback from victims who pay the Kraken group and get no email response. 12 victims complained yesterday," Gevers told Bleeping Computer.
Meanwhile, speaking to IBTimes UK, Merrigan said: "Each group we have found has a number of Bitcoin (BTC) addresses where you can see if payments were received. In some cases we have reports of people paying but they didn't get their files back."
Andreas Nilsson, MongoDB's director of product security, has addressed the issue directly by publishing a blog post with advice on how to better secure databases on the platform. "These attacks are preventable with the extensive security protections built into MongoDB," he wrote.
The attacks, due to the rise of so-called "copycat" hacks, show no sign of slowing. Asked if the number of compromised databases remains on the rise, Merrigan told IBT: "Very much so."
© Copyright IBTimes 2024. All rights reserved.