From malware and botnets to the latest cybercriminal schemes, check out what today’s black hat hackers are up to.

Blog > Cybercrime > MongoDB Ransomers Overwriting Each Others’ Notes, Leaving Admins with No Options

MongoDB Ransomers Overwriting Each Others’ Notes, Leaving Admins with No Options


Open MongoDB database servers with default settings have been a source of stress for security teams for well over a year. These vulnerable databases can result in breaches affecting millions of people. Though administrators have been warned to secure these servers, the lack of doing so has resulted in tens of thousands of open MongoDB servers that have been open and ripe for abuse for months.

However, a new development appears to have shifted the landscape significantly. On approximately January 6, 2017, evidence appeared that bad actors were attempting to ransom the data on MongoDB servers, as the completely unsecured servers allow data to be written as well as read. Over the past several days, it appears that additional bad actors have jumped into the fray and started overwriting other ransom notes with their own ransom notes. The result of all of this is a catastrophic volume of global data loss.

According to open-source research on unsecured MongoDB databases, a minimum of 20,000 servers are affected — and likely many more. Servers that previously hosted gigabytes of data as well as many databases now contain nothing but a ransom note, and paying that ransom is unlikely to return the data.

This landmark event is something that all administrators need to understand as a case study for why security vulnerabilities need to be taken seriously. The vulnerabilities themselves may or may not be cause for concern. But, when the vulnerability can be abused by a criminal, the issue very rapidly turns from an academic argument into a global incident.

About the author: Allison Nixon

Allison Nixon is the Director of Security Research at Flashpoint. She has been a background source for numerous investigations and articles that focus on the post-breach issue of "who dunnit?". Allison performs original threat research and specializes in DDoS attribution, cybercrime attribution, criminal communities, and answering questions that people have not yet thought to ask. In 2013, she spoke at Black Hat about bypassing DDoS protection. In 2014, she released a paper detailing methods for vetting leaked data. In October 2016, her findings placed her at the forefront of the Mirai botnet DDoS attacks against Dyn DNS. In her spare time she grows tomatoes and makes puns.

About the author: Zach Wikholm

Zach Wikholm is a Research Developer at Flashpoint, where he specializes in information security and Internet of Things (IoT) risk analysis. Driven by lifelong interests in cyber threat research, emergent malware, and all things open-source (especially Linux), Zach has built a career around designing custom systems to help organizations achieve the optimal balance between security and usability. Prior to Flashpoint, Zach’s extensive experience in security engineering and IT consulting led to his role managing all internal security and network infrastructure operations as the Director of Security at