January 10, 2017
The number of hijacked MongoDB servers held for ransom has skyrocketed in the past two days from 10,500 to over 28,200, thanks in large part to the involvement of a professional ransomware group known as Kraken.
According to statistics provided by two security researchers monitoring these attacks, Victor Gevers and Niall Merrigan, this group is behind around nearly 16,000 hijacked databases, which is around 56% of all ransacked MongoDB instances.
The Kraken group got involved in these MongoDB attacks on Friday, January 6, seeing how successful and profitable previous attacks from other groups had been.
Numbers of hijacked MongoDB servers went from 1,800 to 28,000 in a week
There are currently twelve groups launching attacks on unsecured MongoDB databases. These databases are easy pickings because they've been left exposed to Internet connections with no password on the administrator account.
These groups access these unsecured databases, export their content, and leave a message behind asking for a ransom payment in order to return the data.
According to the Gevers and Merrigan, in recent days, some groups aren't even downloading the data, but simply deleting it. Nevertheless, many companies paid to get their data back.
These attacks started around Christmas 2016, and initially, they were small in nature and carried out by one group alone, nicknamed Harak1r1.
Groups involved in MongoDB hijacking attacks [Source]
Attacks intensified last Monday when Bleeping Computer first reported on these events after Harak1r1 successfully compromised around 1,800 MongoDB installations.
Two days later, the number of groups involved in these hijacking attacks grew to three, and by Saturday there were eight groups, with the number of hijacked databases reaching 10,500 servers.
Professional ransomware group gets involved in MongoDB attacks
As the number of hijacked servers grew to over 28,000, the massive surge that took place over the weekend was driven by the involvement of Kraken, a group that has been previously involved with the distribution of "classic" Windows ransomware.
The connection between the Windows ransomware and the MongoDB attacks comes from the usage of the same email address in both attacks: