An anonymous hacker is running ransomware attacks that targets 22,900 MongoDB databases. When the attack is successful it threatens victims to report them to the authorities for breaching the GDPR legislation. As long as they pay a certain amount of money in cryptocurrency they won’t be reported.
The ransomware attack was identified Wednesday by a security researcher, Victor Gevers, at the Dutch Institute for Vulnerability Disclosure. However, the attack was first discovered in April. According to ZDnet, the hackers rely on automated scripts to scout the internet for connected MongoDB installations with no security set, i.e. password. The script erases the database’s contents and leaves a ransomware note to the victim demanding payment of 0.015 bitcoin, which is equivalent of $137. If the victim doesn’t pay within 48 hours, they don’t return the data and threaten to report it to GDPR.
“In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe,” the ransom note reads in somewhat broken English. “Under the rules of the law, you face a heavy fine or arrest.”
The seriousness of the attack
Ransomware attacks are common, but the scope of this attack cannot be underestimated. According to Gevers, the targeted 22,900 MongoDB databases make up 47% of total MongoDB databases accessible online.
“The threat to contact GDPR authorities is an interesting new dimension in the ransomware saga,” Chris Rothe, co-founder and chief product officer of threat detection firm Red Canary Inc., said. “Attackers continue to look for ways to multiply leverage. In recent years, ransomware actors have added confidentiality attacks to availability attacks to increase the probability and size of ransom payment. Adding the threat of regulatory fines is a third dimension to generate leverage.”
What experts think the government should do
Ilia Kolochenko, founder and CEO of website security firm ImmuniWeb, recommends that governments should come up with law enforcement teams or specialized agencies to scout and monitor the internet for such leaks in their regions.
For now, we have to wait patiently and see what actions will be taken. If you are using MongoDB, the advice is to check your security settings.