Researchers have discovered a new campaign dubbed “Mongo Lock” targeting unprotected and remotely accessible MongoDB databases. The attack is not new, and the databases have been targeted for a long time. The hijack works by the attacker scanning the internet for unprotected MongoDB servers. The attackers will connect to the unprotected database and then delete it while demanding 0.1 Bitcoins. There is no Bitcoin address in the ransom note, however the attackers provide an email address for victims to contact. Researchers claim, “the attackers are using a script that automates the process of accessing a MongoDB database, possibly exporting it, deleting the database, and then creating the ransom note.” An issue with the script is that it can sometimes fail. If this happens, the data will still be available to the user even though a ransom note is still created.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is