A group calling itself XMR Squad has spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to pay Attack.Ransom €250 ( $ 275 ) for `` testing their DDoS protection systems . '' German DDoS protection firm Link11 reported attacks against DHL , Hermes , AldiTalk , Freenet , Snipes.com , the State Bureau of Investigation Lower Saxony , and the website of the state of North Rhine-Westphalia . The attack Attack.Ransom against DHL Germany was particularly effective as it shut down the company 's business customer portal and all APIs , prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL . `` They seem to know what to hit , '' said Daniel Smith , security researcher for Radware , and one of the persons currently keeping tabs of the attacks . The group sent emails to all the companies it targeted . In the emails , they did n't ask for a ransom Attack.Ransom to stop the attacks Attack.Ransom , but a fee for having already carried out what they called a DDoS protection test . Usually , these types of groups launch DDoS attacks and then send emails to their victims requesting for payments Attack.Ransom to stop the attacks Attack.Ransom . XMR Squad 's emails looked like invoices for unrequested DDoS tests . Furthermore , the ransom note did n't include payment instructions , which is weird , to say the least . DDoS ransoms Attack.Ransom are usually handled in Bitcoin or another anonymous cryptocurrency . It was strange to see the group ask for payment Attack.Ransom in Euros , as the group 's name included the term XMR , the shortname for Monero , an anonymous cryptocurrency . While the group advertised on Twitter that their location was in Russia , a German reporter who spoke with the group via telephone said `` the caller had a slight accent , but spoke perfect German . '' To the same reporter , the group also claimed they carried out the attacks only to get public attention . The attention they got was n't the one they expected , as their hosting provider took down their website , located at xmr-squad.biz . Germany , in particular , has been the target of several DDoS blackmailers in the past year . In January and February , a group calling itself Stealth Ravens launched DDoS-for-Bitcoin ransom attacks Attack.Ransom . Link11 , who tracked those attacks Attack.Ransom , claimed the group used a DDoS botnet built with the Mirai IoT malware and asked for Attack.Ransom 5 Bitcoin ( $ 6,000 ) to stop attacks Attack.Ransom . Last year in June , another group named Kadyrovtsy also targeted German businesses , launching attacks Attack.Ransom of up to 50 Gbps . This group began DDoS ransom attacks Attack.Ransom a month earlier by first targeting Polish banks . All these groups are following the same modus operandi perfected by groups like DD4BC and Armada Collective . These two groups appeared in the summer and autumn of 2015 and targeted companies worldwide . In January 2016 , Europol arrested suspects believed to be DD4BC members in Bosnia and Herzegovina . Following the arrests , both groups became inactive . After the demise of these two main groups , there was a wave of copycats [ 1 , 2 , 3 , 4 , 5 ] that used their respective reputation to extort payments Attack.Ransom from companies , in many cases without even possessing any DDoS capabilities .

This Monday , Bleeping Computer broke the news that a hacker/group identified as Harak1r1 was taking over MongoDB databases left connected to the Internet without a password on the admin account . The group was exporting Attack.Databreach the database 's content and replacing all tables with one named WARNING , that contained a ransom note , asking Attack.Ransom the owners of the hacked database to pay Attack.Ransom 0.2 Bitcoin ( ~ $ 200 ) into Bitcoin wallet . At the time of our article , Harak1r1 had hijacked just over 1,800 MongoDB databases , and 11 victims have paid the ransom Attack.Ransom in order to recover their files . As time went by , Harak1r1 hijacked more databases , reaching at one point over 3,500 MongoDB instances , and currently peaking at over 8,500 . Among them , the hacker ( s ) had even managed to make a high-profile victim , in Emory Healthcare , a US-based healthcare organization . According to the MacKeeper Security Research Team , Harak1r1 had ransacked Attack.Databreach and blocked Emory 's access to more than 200,000 medical records . Attacks from harak1r1 went on for two more days , but as worldwide infosec media started covering the topic , two copycats appeared and started doing the same . The second group goes by the name of 0wn3d , and they work by replacing the hijacked database tables with a table named WARNING_ALERT . According to Victor Gevers , the researcher who initially discovered the first hacked MongoDBs around Christmas , this second group has hijacked just over 930 databases . Unlike Harak1r1 , this second group is a little bit more greedy and asks for Attack.Ransom 0.5 Bitcoin , which is around $ 500 , but this has n't stopped companies from paying Attack.Ransom , with 0wn3d 's Bitcoin wallet showing that at least three victims had paid Attack.Ransom his ransom demands Attack.Ransom . A day later , the same Gevers came across a third actor , using the name 0704341626asdf , which appears to have hit over 740 MongoDB servers . This hacker/group is asking for Attack.Ransom 0.15 Bitcoin ( ~ $ 150 ) , and he 's using a lengthier ransom note , in which he admonishes victims for leaving their DB open over the Internet . Furthermore , this threat actor appears to be more strict with victims and gives database owners 72 hours to pay the ransom Attack.Ransom . According to Gerves , the lines that allowed him to track the activity of these three groups is slowly blurring , as these groups started using more varied messages and different Bitcoin addresses . Additionally , in newer variations of these attacks , the hackers do n't appear to bother copying the hacked database . In recent attacks Attack.Ransom , Gevers says that crooks just delete the DB 's content , ask for a ransom Attack.Ransom regardless , and hope nobody checks the logs and discovers what they 've done . There is no evidence that they actual copied your database . According to Gevers , these groups are now fighting over the same turf , with many of them rewriting each other 's ransom notes . This leads to cases where database owners pay the ransom Attack.Ransom to the wrong group , who ca n't give their content back . `` It 's catching on and it looks more players are coming to the game .