Giant extortion ring discovered: Why you could be at risk

Not all ransom attacks are based on fooling users into opening ransomware. In a recent case, the victims seem to have made a different mistake: failing to change default settings on a service. 

A researcher has discovered that potentially thousands of databases built using MongoDB, an open-source database system, have been wiped clean by attackers. The databases now contain a single file, a document with a instructions to users to pay a ransom to a Bitcoin address in order to retrieve their data.

According to Krebs on Security:

“Tens of thousands of organizations use MongoDB to store data, but it is easy to misconfigure and leave the database exposed online. If installed on a server with the default settings, for example, MongoDB allows anyone to browse the databases, download them, or even write over them and delete them.”

That would appear to be what happened in this case. By finding the misconfigured databases, attackers were able to replace them with the ransom demand to be paid in order to return the database to its original state.

Only they aren’t being restored.

Gone forever?

According to the researcher who is spearheading the investigation into this extortion attack, up to 29,000 of the misconfigured databases have been replaced with a ransom note. And those who are paying the ransom may not be getting their files back.

The attack is fairly simple to execute. All it would require to find the misconfigured databases is a simple search.

It’s likely that many of these databases are already backed up or forgotten about long ago and thus useless to attackers.

But the real concern is that this ransom attack could be completely bogus to begin with. There seems to be no indication that the files are being returned to those who have paid the ransom. And it’s not even clear that they could be returned.

For that reason, experts warn that if your database has been compromised, you probably shouldn’t pay. (Or, at the very least, ask for proof that the files could be returned.)

Check your settings

This case is a good reminder that it’s absolutely essential to check your server settings are configured correctly (and that your server is secure).

The problem of weak or default passwords are well-publicized. Most companies know to change these right away. But in some cases, restarts or other changes to the server could result in reverting to the default password and security settings.

Even if you’re sure you’ve configured your servers correctly in the past, it never hurts to go back and check to be sure the settings are still exactly how you want them to be.