, hackers leakedAttack.Databreachmore than 36 million and 58 million accounts respectively from unsecured MongoDB . More : LG Smart TV Screen Bricked After Android Ransomware Infection Now , unsecured MongoDB databases are being hijacked by a hacker , who is not only wiping out these databases but also storing copies of them and asking for a ransomAttack.Ransomof 0.2 bitcoins ( roughly US $ 211 ) from admins in exchange of the lost data . Those admins who haven ’ t created backups of these databases are seriously helpless because the rate of Bitcoin is also increasing and the latest rate is 1 Bitcoin = USD1063.93 . The hacking campaign was discovered by security researcher Victor Gevers , co-founder of GDI Foundation , a non-profit organization . Gevers notified owners about the presence of vulnerable , non-password-protected MongoDB databases and also informed that around 200 of these installations have been wiped out by the hacker . Gevers believes that the hacker ( s ) might be utilizing an automation tool but they manually select their target databases . Hacker seems to be interested in databases that contain important information/data or he chooses companies that are most likely in a position to pay the ransomAttack.Ransomto get their data back . In a conversation with SecurityWeek , Gevers said that “ They use some sort of automation tool , but they also do some of the work manually . If they used a fully automated tool , we might have seen all exposed MongoDB databases being hijacked in one swift move ” . But that was old news ; as per recent tweet by Shodan founder John Matherly , approx . It must be noted that Shodan is the platform where a majority of MongoDB instances can be located . As of now , 16 admins/organizations have already paid the ransomAttack.Ransomto obtain the lost data . The attacksAttack.Ransomon MongoDB databases have been going on for more than a week and servers from across the globe have been targeted . Researchers believe that the attacker , who uses the alias “ harak1r1 ” does not encrypt the stolen data but runs a script , which replaces the database content with the ransom note .
Last week we first tweeted that the GuardiCore Global Sensor Network ( GGSN ) has detected a wide ransomware attackAttack.Ransomtargeting MySQL databases . The attacksAttack.Ransomlook like an evolution of the MongoDB ransomware attacksAttack.Ransomfirst reported earlier this year by Victor Gevers . Similarly to the MongoDB attacksAttack.Ransom, owners are instructed to payAttack.Ransoma 0.2 Bitcoin ransomAttack.Ransom( approx. $ 200 ) to regain access to their content . We saw two very similar variations of the attackAttack.Ransomusing two bitcoin wallets . In this post we will describe in detail the attack flow and provide some recommendations on how to protect your databases from similar attacks along with attack IoCs . The attacks started at midnight at 00:15 on February 12 and lasted about 30 hours in which hundreds of attacks were reported by GGSN . We were able to trace all the attacks to 109.236.88.20 , an IP address hosted by worldstream.nl , a Netherlands-based web hosting company . The attacker is ( probably ) running from a compromised mail server which also serves as HTTP ( s ) and FTP server . Worldstream was notified a few days after we reported the attack . The attack starts with ‘ root ’ password brute-forcing . Once logged-in , it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘ WARNING ’ that includes a contact email address , a bitcoin address and a payment demandAttack.Ransom. In one variant of the attack the table is added to an existing database ; in other cases the table is added to a newly created database called ‘ PLEASE_READ ’ . The attacker will then delete the databases stored on the server and disconnect , sometimes without even dumping them first . The attack as reported by GuardiCore Centra We logged two versions of the ransom message : INSERT INTO PLEASE_READ. ` WARNING ` ( id , warning , Bitcoin_Address , Email ) VALUES ( ‘ 1′ , ’ Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database ! Your DB is Backed up to our servers ! ’ , ‘ 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY ’ , ‘ backupservice @ mail2tor.com ’ ) INSERT INTO ` WARNING ` ( id , warning ) VALUES ( 1 , ‘ SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 AND GO TO THIS SITE http : //sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE ! The second version offers the owner to visit the following darknet web site ‘ http : //sognd75g4isasu2v.onion/ ’ to recover the lost data . The darknet web site referenced in the ransom note . Each version uses a different bitcoin wallet , 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 vs 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY and based on Blockchain public information people have been paying up .