This story is over 5 years old.


Copycat Hackers Are Holding More Than 1,000 Databases for Ransom

Hackers have found yet another way to monetize the shitty security of internet users.
Image: Bacho/Shutterstock

Someone has been hijacking and locking insecure databases running on the MongoDB open-source program, asking owners for money in return for their data back. Now, copycats are trying to do the same, scouring the internet for other vulnerable databases.

The first copycat hacker has so far taken control of almost 1,000 databases, but there are at least another four hackers trying the same tactic, according to a tally by security researchers, putting the total number of hijacked databases to over 10,000.


"YOUR DBS ARE ENCRYPTED. SEND 0.5 BTC (BITCOIN) ~= 550USD, TO THIS BTC ADDRESS," reads the ransom message of the first copycat, who calls himself 0wn3d, according to Victor Gevers, the co-founder of the GDI Foundation, a non-profit organization that has the goal of making the internet safer, and one of the researchers who's tracking these attacks.

Please STOP paying the ransom. There is no evidence that they actual copied your database. Get a local expert to have your log files checked Victor GeversJanuary 5, 2017

As of Friday morning, 0wn3d has made 2 bitcoin (around $2,000 at the current exchange rates) after four victims paid up, according to Bitcoin blockchain data. (A message to the email that the hacker left in their ransom messages was not returned).

Gevers has been working around the clock to track these attacks and help IT administrators secure their MongoDB database installations to avoid becoming victims.

"I have been helping some organisation (small and bleeping large) help locking down their databases," Gevers told Motherboard in a Twitter message. "I have helped 59 directly with SSH about 9 with information."

Read more: The Motherboard Guide to Not Getting Hacked

According to Gevers, 0wn3d actually doesn't steal the data, but simply creates a new database and drops the ransom note, erasing the old data.

"This actor does not have any data so paying ransom is a bad idea," Gevers told me.


In the last year, MongoDB databases, which are among the most popular after Oracle, have been at the center of several leaks and data breaches, not because of a vulnerability or any particular exploit, but because in past versions the installation didn't require owners to set up credentials by default. Security researchers have found several MongoDBs containing sensitive information left exposed for all to see, such as the voter records of 191 million American voters, or credit card data of thousands of customers of an hotel chain.

MongoDB published a blog post on Thursday giving users advice on how to avoid becoming victims of this attack. Just like in the past, the company said there was no security issue with its software, and that it was users' responsibility to follow "security best practices" and use the software's "extensive security capabilities."

Gevers was also the one who discovered the original ransom attacks earlier this week, carried out by a hacker calling themselves Harak1r1, who was able to infect more than 8,000 databases as of Friday morning. Since then, companies and individuals have been reaching out for help, but the problem might get worse as copycats start cropping up.

"I am happy people are reaching out," Gevers said. "but also others [are] starting to look out for the ransacking ransom jobs."

Get six of our favorite Motherboard stories every day by signing up for our newsletter.