Ransomware targeting MongoDB databases threatens to report victims for GDPR breach
An unknown hacker has targeted 22,900 MongoDB databases in a ransomware attack that threatens to report victims to authorities for breaching the European Union General Data Protection Regulation if they don’t pay up.
The attack, discovered Wednesday by security research Victor Gevers at the Dutch Institute for Vulnerability Disclosure, was first detected in April. According to ZDNet, the hackers use automated scripts to search the internet for connected MongoDB installations with no password set. The script deletes the contents of the database, then leaves a ransom note demanding payment of 0.015 bitcoin ($137) for the return of the stolen data within 48 hours.
“In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe,” the ransom note reads in somewhat broken English. “Under the rules of the law, you face a heavy fine or arrest.”
Ransomware attacks are a dime a dozen, but the scope of this attack is notable, since according to Gevers the 22,900 MongoDB databases successfully targeted account for about 47% of all MongoDB databases accessible online.
“The threat to contact GDPR authorities is an interesting new dimension in the ransomware saga,” Chris Rothe, co-founder and chief product officer of threat detection firm Red Canary Inc., told SiliconANGLE today. “Attackers continue to look for ways to multiply leverage. In recent years, ransomware actors have added confidentiality attacks (threats to expose sensitive data) to availability attacks (making systems or data inoperable) in order to increase the probability and size of ransom payment. Adding the threat of regulatory fines is a third dimension to generate leverage.”
Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, thinks governments should create special agencies or law enforcement teams to crawl and monitor the internet for such leaks in their jurisdictions.
“Once detected, legal action should be taken against the company behind the leak and all costs of the monitoring and investigation should likewise be imposed on the guilty company,” he said. “Organizations, on their side, should urgently implement continuous attack surface monitoring and implement a well-though third-party risk management program.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.