Number of MongoDB ransom attacks peaked 27,000 in a day

Pierluigi Paganini January 09, 2017

According to the Australian Communications and Media Authority Antipodes the number of hacked MongoDB databases more than double to 27,000 in just a day.

MongoDB ransom attacks soar, according to the Australian Communications and Media Authority Antipodes the number of hacked systems more than double to 27,000 in just a day. According to the experts, the hackers are implementing an extortion mechanism copying and deleting data from vulnerable databases.

Crooks request the payment of a ransom in order to return data and help the company to fix the flaw they exploited. Last week I reported the story of a mysterious attacker that goes online with the harak1r1 moniker, he is breaking into unprotected MongoDB databases, stealing their content, and requesting for a 0.2 bitcoins (US$184) ransom to return the data.bitcoins (US$184) ransom to return the data.

The attacks were discovered by the Co-founder of the GDI Foundation, Victor Gevers, who warned of poor security for MongoDB installations in the wild. The security expert has discovered 196 instances of MongoDB that were wiped by Harak1r1 and being held for ransom.

The analysis of the Bitcoin wallet used by Harak1r1 revealed that at least 22 victims appeared to have paid.


According to the security researcher Niall Merrigan the number of attacks have soared from 12,000 earlier today to 27,633 in just 12 hours. According to the expert the attacks were powered by at least 15 different actors. One of the attackers goes online with the moniker ‘kraken0’ has compromised 15,482 MongoDB databases demanding victims the payment of 1 bitcoin ($US921).

The researcher is collecting information on the attacks including information provided by Victor Gevers.

The Australian Communications and Media Authority Antipodes is monitoring exposed MongoDB installations since July 2015 using intelligence provided by the ShadowServer nonprofit.

The organization reports about 400 exposed MongoDB databases a day to 90 percent of Australia’s network providers via the Australian Internet Security Initiative (AISI).


AISI statistics on Exposed MongoDB published by ElReg

Stay tuned …


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MongoDB databases , hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment