Home Security
PC Matic
PC Matic VPN
More Products
Support Unlimited
Identity Theft Protection
PC Magnum
Threat Awareness
How PC Matic Protects You
SuperShield Whitelist
Compare PC Matic
Norton
McAfee
Avast
AVG
Business Protection
PC Matic Pro
PC Matic MSP
Solutions
Allowlisting
Script Enforcement
Device Control
Patch Management
Remote Tools
Integrations
Server Security
Learn More
Resellers
Affiliates
Resources
Case Studies
Compare PC Matic Pro
ThreatLocker
Airlock Digital
VMware Carbon Black
AppLocker
For Federal
Partner Programs
Managed Service Providers
Channel Partners
Affiliate Partners
OEM Partners
Resource Center
All Resources
Case Studies
Data Sheets
User Guides
White Papers
Blog Resources
PC Matic Blog
Business Security
Home Security
Cyber News
Scam Alerts
Customer Service
Home Support
Business Support
Learn More
Getting Started
Knowledgebase
Tech Support Scams
Fake Virus Scams
Tools & More
Ransomware Center
Internet Speed Test
PC Matic
About
Careers
Learn More
Industry Recognition
Leadership
Commercials
Stay Up-to-Date
Newsroom
Blog
Events
TechTalk Podcast
Home Customers
My Account
PC Matic App
Add a Device
Renew Subscription
Business Customers
Business Login
Business Support
Search
Computer Virus Software

The Latest Ransomware Craze – Holding MongoDB Databases Hostage

As if our jobs as IT admins isn’t difficult enough, hackers have taken to finding misconfigured MongoDB databases, and are holding them hostage, until a ransom has been paid. Similar to traditional ransomware, where files on a computer are encrypted until a fee has been paid, databases, are being held hostage, instead.

The modus operandi is the hackers look for open ports, particularly 27017, and find MongoDB instances where security settings, such as usernames and passwords, are not set properly. Once they find the database, they back it up to their own servers, but then delete it on your server. Afterwards, they create a replacement database with names like “CONTACTME” or “PLEASE_READ.” In the ransom notes left behind, the hacker states they have saved all of the data, and if the victim wants to recover the data, they would need to send Bitcoins, an anonymous online currency, to a specific Bitcoin wallet. Once the victim pays the ransom, the victim would send an email to the hacker with their IP address. Afterwards, the hacker would restore the data.

Unfortunately, this threat doesn’t appear to be a one-off situation. Princeton University recently became a victim of one of the 27,000 MongoDB ransomware attacks. In their case, the database instance was wiped, and a replacement database, called PLEASE_READ, was left behind. The hacker was requesting .2 BTC, or roughly $160.58. This seems like a low price to pay for having the data restored, however, in many instances, the hackers actually do not return the data.

For those of us who run MongoDB instances, please see this article on how to avoid ransom attacks. More specifically, the Security Checklist, written by MongoDB, states you should follow these best practices

  • Enable Access Control and Enforce Authentication
  • Configure Role-Based Access Control
  • Encrypt Communication
  • Encrypt and Protect Data
  • Limit Network Exposure
  • Audit System Activity
  • Run MongoDB with a Dedicated User
  • Run MongoDB with Secure Configuration Options
  • Request a Security Technical Implementation Guide (where applicable)
  • Consider Security Standards Compliance

Stay safe out there!

Stop Responding to Threats.
Prevent Them.

Get Protected

Want to get monthly tips & tricks?

Subscribe to our newsletter to get cybersecurity tips & tricks and stay up to date with the constantly evolving world of cybersecurity.

Related Articles