Exposed MongoDB installs being erased, held for ransom


Security researcher Victor Gevers, co-founder of , a non-profit dedicated to making the internet safer, is urging administrators to check their MongoDB installations, after finding nearly two hundred of them wiped and being held for ransom.

On Monday morning, Gevers said he’d discovered 196 instances of a MongoDB installation exposed to the public that’s been erased and held for ransom. UPDATE: The count as of 4:00 p.m.

The person behind the attacks is demanding 0.2 BTC ($202.89) as payment, and requiring system administrators email proof of ownership before the files are restored. Those without backups are left in a bind.

Gevers has sent dozens of notifications to affected victims and to at least two requests for assistance after administrators learned of the issue.

Victor Gevers / SRAGAN

If so, then administrators are caught in the middle of a rat race between Gevers and “Harak1r1” – the person responsible for the attacks. Asked for his thoughts and advice, Gevers shared the notification letter he is sending to identified victims.

In it, he advises that they protect the MongoDB installs by blocking access to port 27017 or limit access to the server by binding local IPs. Administrators can also chose to restart the database with the “–auth” option, after they’ve assigned users access.

In addition, he offers the following tips:

. Most of these installations were insecure and publicly available, and combined stored nearly 700TB of data.

Configuration errors in MongoDB have led to a number of major data breaches, including that exposed 3.3 million people.

A short time later, CSO Online was the first to report on the existence of an exposed MongoDB that with the help of researcher Chris Vickery and

This was followed by a week later. Last April, a poorly configured MongoDB installation exposed the .

MongoDB is a favorite among some IT professionals, but if it isn’t configured properly and secured, this popular platform can be the source of a lot of pain within an organization. The official , and administrators are encouraged to follow it completely.

This story, “Exposed MongoDB installs being erased, held for ransom” was originally published by