What being the victim of a MongoDB ransomware attack feels like
I was in a call with Vlad Stan, getting ready to do a product demo of Tomo. However, something was off… the dashboard wasn’t working; our Messenger bot wasn’t responding. What could it be?
So I checked the database. I opened MongoHub, connected to the server, and this is the only database I see: WARNING. It had only one collection, with the same name.
At first I wasn’t quite sure what was going on. But then, this made it very clear:
The collection had only one document in it. It was a note, asking for a mere ransom of 0.1 BTC. By our calculations, the data we had in the database was worth $2.
What’s interesting is that I was expecting this to happen. Ever since I created the database and left it unprotected, I knew anyone could see it. I even thought… with all this ransomware fuss, what if they find our database?
Heck, I did this myself once! No, I don’t mean stealing data and asking for ransom, but finding vulnerable databases. I used https://www.shodan.io to search for IPs that had a specific port open (27017 is the default for MongoDB). Then, I simply connected with a MongoDB client to whatever servers I found. There was nothing interesting though, just small servers with boring data. I did it for learning purposes.
So how did it feel? Funny, because:
- We didn’t care about that data. It was a scrap database, with nothing critical in it.
- We had backups. The database was hosted on a cluster on Docker Cloud, where we had nightly backups in place.
I restored the database from the previous backup and everything was working again. The demo went great, too.
Lesson learned? Yes. Attackers will always find you. Wherever your data is, if it’s not protected, it’s at risk. MongoDB’s Security Checklist is a great start.
