By Tim Greene
Jan. 12, 2017
It took less than a week for criminals to drain virtually all publicly exposed MongoDB servers of their data, and now a second tier of opportunistic thieves is trying to walk off with the ransom.
When attackers initially deleted the data, sometimes terabytes at a time, they left ransom notes demanding payments in bitcoin.
In the meantime, other thieves have come along to these still-insecure servers, deleted the initial ransom notes and left their own. And sometimes after that, another thief came along and deleted that note and left yet another.
“There’s a fluctuation and shift in which ransom note is being displayed on the server at any given minute,” says Zach Wikholm, a research developer at Flashpoint.
Not that it matters, he says. The likelihood that any victim of these thefts will ever get their data back is miniscule. It’s relatively easy to find the vulnerable servers, pull down the data and delete it, but to do that and to store it would require time and enormous amounts of storage, he says.
It’s highly unlikely the thieves made that kind of investment. Instead they deleted the data and demanded payment to restore it. “There’s no hope for those who were compromised,” he says.
It didn’t’ take a large group to commit these crimes. “Pulling this off is within the ability of one person,” says Allison Nixon, Flashpoint’s director of security research. “Now there are multiple bad actors for sure. Opportunists is a good word.”
Niall Merrigan, a managing consultant at Capgemini, has been following this closely and chronicling the thefts on his Twitter account. He says more than 32,000 MongoDB servers have been hit.
This threat to public-facing MongoDB databases has been publicized for about a year, but only within the past week has anyone tried to cash in on the exposure in a big way, Nixon says.
Security researchers discovered the fact that these databases were exposed and unprotected and issued public warnings, but tens of thousands of admins in 90 countries paid no heed. “People saw it as a thing but not a particularly threatening thing,” Nixon says.
But then someone recognized the profit potential in the ransom scheme and everything changed. “It turns from an academic argument to a worldwide incident in literally days,” she says.
This situation is different from classic ransomware attacks in which attackers encrypt data, then demand payment for turning over the keys to decrypt. In this case, attackers removed the data from the servers altogether, no encryption involved, and it’s unlikely the data was ever saved anywhere, Wikholm says. It simply disappeared too fast for it to have been downloaded, and returning it would require an upload that would take days or in some cases weeks.