How Ransomware Authors Target Databases

The scourge of ransomware is undoubtedly the most severe cyber security concern for home users and organizations these days. It revolves around taking important data hostage and demanding money, usually hard-to-trace cryptocurrency like Monero or Bitcoin, in exchange for the recovery service. Online extortionists are constantly diversifying their attack vectors to affect as many victims as possible. The rise of database ransomware demonstrates this unsettling evolution. As per cybersecurity experts from, the threat actors who chose to zero in on servers rather than endpoints have had a huge success implementing their updated tactics.

MongoDB servers turn out to be an easy target

Ransomware Comic Cloudtweaks

A massive campaign targeting MongoDB servers broke out several years ago. It was the first-ever instance of malefactors compromising open-source database platform implementations on a large scale. A black hat hacker known in the cybercrime underground under the alias “Harak1r1” was able to identify and attack numerous poorly protected MongoDB installations across the globe. The workflow of these breaches is as follows: the crook gains unauthorized access to databases, exfiltrates their content, and replaces it with a ransom note. Server owners are instructed to submit Bitcoin payments to get the hostage data back.

Shortly after this extortion model took root, a powerful criminal group called Kraken got interested and stepped in. This involvement resulted in the increase of ransomed MongoDB servers from 10,000 to a whopping 28,000. The total amount of data stolen by the attackers reached about 93 terabytes. Several dozen victims reportedly ended up coughing up the requested ransom. However, they never got their data back. It is likely that the crooks were bluffing about the deal in that they simply erased the information without actually exporting it anywhere.

The reason why so many MongoDB instances became low-hanging fruit for the bad guys is all about the lack of caution on the administrators’ end. The campaign in question hit Internet-facing databases with the default configuration unaltered. The never-do-wells behind the attacks could, therefore, gain access to these unsecured servers by guessing or brute-forcing the password. None of this would have happened if admins had set up proper access control and authentication.

Hadoop and CouchDB databases at risk

A new wave of database attacks started hitting the headlines later too. This time, the same group of hackers went after servers running the Hadoop and CouchDB data management platforms. Similar to the above-mentioned MongoDB incidents, these breaches resulted in hijacking unsecured servers and deleting their data. The extortion part also involved a ransom demand, where the hackers pressured the infected organizations into paying Bitcoin to restore proprietary information.

Another common denominator in the two campaigns is that the fraudsters spot and compromise default installations of Hadoop and CouchDB databases with very weak authentication. Effectively, no specific malware or phishing tricks were involved – simply guessing administrative credentials was enough to pull off these attacks. The most adverse nuance of the breach’s aftermath is that the data was erased beyond recovery, so submitting the ransom could not help.

Threat Security

At about the same time, an individual who goes by the online handle “Kraken0” released a ransomware kit that automates the process of detecting and hacking into poorly protected databases. This kit was available for sale on darknet resources. The price was as low as $200. Wannabe crooks must have really appreciated such an opportunity to go pro.

MySQL databases are not much safer

Ransomware deployers did not pass by vulnerable MySQL installations either. Servers running this popular database management system were also subject to extortion attacks. Although the first wave lasted only 30 hours, it succeeded in compromising hundreds of MySQL databases globally. The anatomy of the attacks is invariable: defeat authentication and access a server, delete database content and then request ransom payment. Unfortunately, most of the time the criminals did not dump the data for real, so recovery was unfeasible.

This breach went two different routes. One of them presupposed adding a new table called “WARNING” to the existing database. This was a recovery how-to providing the attacker’s email address, a Bitcoin wallet address, and the amount to be paid. The server administrator was instructed to visit a specific page using the Tor Browser and follow further directions listed on the darknet site. The other scenario engaged a new database containing a table called “PLEASE_READ.” This edition of the ransom note told victims to submit the specified amount of cryptocurrency and then send the plagued IP address or database name to backupservice @ In either case, the perpetrators did not keep their promises and never gave the hostage data back.

The bottom line

All database hack incidents demonstrated that the data management platforms per se are not to blame for these predicaments. Whether it is MongoDB, Hadoop, CouchDB, or MySQL – each one provides plenty of security capabilities and information protection options, including advanced authentication, access control, and data encryption.

It is an unprofessional implementation of these databases that allows these attacks to get through. The malefactors can simply scan Shodan, a search engine for online-accessible devices, to find vulnerable servers. The rest is a matter of low-level hacking. We strongly recommend all web admins to keep their database software up to date and leverage security features that go with every such platform. It is advised to use all possible protection mechanisms including multifactor authorization. Keep in mind that your mobile devices can be monitored too with the help of phone tracker apps.

There are actually plenty of tips on how to secure your database. These include making use of database firewalls, separating web servers from database servers, encrypting data and backups, securing database user access, etc.

While securing the database may seem like a difficult task, each additional step you take makes a profound difference and cuts vast groups of potential hackers. Some organizations may need to use professional services to help them implement the best solutions. Hackers continue to change their techniques. It is crucial to stay up to date on all security measures available out there. Becoming aware is an excellent step to start with.

By Alex Vakulov