Ransom attacks on MongoDB databases rekindled last week and over the weekend with the emergence of three new groups that hijacked over 26,000 servers, with one group hijacking 22,000.
The attacks, detected by security researchers
Dylan Katz and
Victor Gevers, are a continuation of the so-called
MongoDB Apocalypse that started in late December 2016 and continued through the first months of 2017.
During those attacks, multiple hacking crews scanned the Internet for MongoDB databases left open for external connections, wiped their content, and replaced it with a ransom demand.
Most of these exposed databases were test systems, but some contained production data and a few companies ended up paying the ransom only to later find out they've been scammed and the attacker never had their data.
New wave of MongoDB hijacks discovered
Several security researchers have tracked the attacks with the help of a
Google Docs spreadsheet. In total, attackers ruined over 45,000 databases, if not even more.
From MongoDB, ransom attacks also spread to other server technologies, such as
ElasticSearch,
Hadoop, CouchDB,
Cassandra, and
MySQL servers.
Over the spring and summer, hacking groups involved in these attacks waned off, and the number of ransomed servers went down.
