MongoDB Ransomers Overwriting Each Others’ Notes, Leaving Admins with No Options
Open MongoDB database servers with default settings have been a source of stress for security teams for well over a year. These vulnerable databases can result in breaches affecting millions of people. Though administrators have been warned to secure these servers, the lack of doing so has resulted in tens of thousands of open MongoDB servers that have been open and ripe for abuse for months.
However, a new development appears to have shifted the landscape significantly. On approximately January 6, 2017, evidence appeared that bad actors were attempting to ransom the data on MongoDB servers, as the completely unsecured servers allow data to be written as well as read. Over the past several days, it appears that additional bad actors have jumped into the fray and started overwriting other ransom notes with their own ransom notes. The result of all of this is a catastrophic volume of global data loss.
According to open-source research on unsecured MongoDB databases, a minimum of 20,000 servers are affected — and likely many more. Servers that previously hosted gigabytes of data as well as many databases now contain nothing but a ransom note, and paying that ransom is unlikely to return the data.
This landmark event is something that all administrators need to understand as a case study for why security vulnerabilities need to be taken seriously. The vulnerabilities themselves may or may not be cause for concern. But, when the vulnerability can be abused by a criminal, the issue very rapidly turns from an academic argument into a global incident.