Owners of Unprotected MongoDB Databases Now Facing Unusual Extortion

• An atypical actor targeted 22,900 unprotected and accessible MongoDB databases.
• The hacker is extorting the owners by threatening to report them to data protection authorities.
• GDPR violations may result in significant fines, depending on the severity.

When hackers steal the contents of your unprotected database and wipe everything, they leave a note asking for the payment of a ransom in order to get your files back. In many cases, this extortion doesn’t lead anywhere, since there are backups to restore from, or because the stolen data isn’t critical for the continuation of the operations of the victim. A hacker is now taking a fresh approach to enforce the payment of the demanded ransom, extorting MongoDB owners by threatening to report them to their local GDPR (General Data Protection Regulation) office.

So, the actor is giving the extorted entities 48 hours to meet the demands, which is the payment of 0.015 BTC (roughly $137). In many cases, the attacker doesn’t even bother to wipe the data, as this isn’t playing any role in the extortion process. The GDPR authorities may be tipped whether the database is populated with data or not, so this doesn’t matter at all. As for the number of the MongoDB databases targeted by the particular actor, this is 22,900 - that’s about 47% of all MongoDB databases currently online, and finding them was a matter of running an automated scanning script.

This basically means that just shy of half of all MongoDB instances online right now were misconfigured, which is utterly absurd. According to more details provided by a ZDNet report, these attacks started sometime in April 2020. Several databases received the same ransom note again and again, as they still appeared on the scans. It means that the two-day deadline is probably fake, although the actor could move forward extorting the same owners again even after he has sent the relevant reports to the authorities.

If you’re wondering what the risk of being reported to the GDPR authorities entails, that would be mainly big fines. Depending on the case, authorities may decide up to €20 million or up to 4% of the target’s annual revenue. For lower-level violations, the penalties are halved. The most recent fine of this kind was issued on June 30, 2020, but the German data protection authority. The amount was set to €1,240,000 for “Allgemeine Ortskrankenkasse,” a health insurance company, and the reason was “insufficient technical and organizational measures to ensure information security.”