2 min

Several hacker groups started attacking Mongolian databases two years ago and taking them hostage for ransom. These practices are still active today, ZDNet discovered. The original groups stopped after a few months, but new groups have joined the attacks in recent years.

The trend started in December 2016, when hackers realized that they could blackmail companies if they hadn’t secured their databases with a password and it was accessible via the internet. At that time, this was the case with 60,000 Mongolian DB databases, so there were plenty of targets. In the first wave of attacks, the hackers downloaded the data to their systems, removed the data from the company’s server and left a message on the server asking for a ransom in exchange for the data.

Soon, however, the hackers realised that there was far too much data to store locally. Within a few weeks they just started to delete data, but they still left hostage notes in the hope of getting a victim to pay for data the hackers didn’t have.

The attacks were named MongoDB Apocalypse. The hackers managed to attack more than 28,000 servers in the first two months alone at the beginning of 2017. Later, hackers began to expand into other vulnerable systems, such as ElasticSearch, Hadoop, CouchDB, Cassandra and MySQL servers.

New groups

Dutch security researcher Victor Gevers is one of the people who has been following the attacks since the beginning. He has been following the hacker groups and their attacks in a Google Lectures file since 2017. Opposite ZDNet, he states that the attacks are still ongoing. In the past month Gevers discovered three new groups.

The groups attacked almost three thousand Mongolian databases, using the same technique as the first attacks. They connected to a database without a password, deleted the data and left a ransom note. But according to Gevers, the groups are more “clumsy” than previous hackers. “Two of the groups didn’t make any money, the third only managed to raise 200 dollars.

“It is clear that someone is selling a toolkit, since every attack seems to be the same as the others,” says Gevers. “Only the e-mail address, the bitcoin address and the ransom note change.”

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.