The two-year-old practice of ransacking MongoDB databases and requesting ransom payments is still very much active. It has been found that, apart from the original hacker groups, several new bad actors have started engaging in this practice known as MongoDB Apocalypse.
The first hacker group identified
The trend of ransom attacks targeting MongoDB serves first began in December 2016. It involved the hacker groups searching for MongoDB databases without a password. At the time, there were roughly 60,000 MongoDB databases exposed online and this was plenty of targets for the hackers to choose from.
The first hacker group who was involved in such activities went by the name of Harak1r1. However, this practice witnessed a peak in the first half of 2017 and over 28,000 servers were ransacked in just two months of 2017.
Diversification in the attack
During the first wave of attacks, hackers downloaded data to their systems, deleted it on the company’s server and left a note behind asking for a ransom. Eventually, the hackers quickly devised new ways to trick a victim into paying a ransom fee for data.
Hackers also diversified from MongoDB and expanded their targets to their systems such as ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers.
Dutch security researcher Victor Gevers, who has been continuously tracking the MongoDB ransom attacks for the past two years, has spotted three new hacker groups, ZDNet reported.
These three groups had managed to ransack nearly 3,000 MongoDB databases using the same old technique - connecting to databases left without a password, deleting data and leaving a ransom note behind.
However, unlike the previous hackers, the new ones were not technically sound and have earned barely any amount from their ransom demands.
Grevers told ZDNet that these groups are "more clumsy" than past hackers. "Most of the time they forget to delete the database”, he added.
While the two of them did not make any money from their ransom demands, the third group barely gathered $200 in its Bitcoin address.