MongoDB Ransomware Hack – What Did We Learn?

Early on Jan. 9, about 12,000 MongoDB database servers were compromised. Later the number rose to 28,000 servers.  As many as 46,000 servers are vulnerable to this attack.

A cyber-criminal using the alias “Harak1r1” exploited a weakness in the default installation of the popular database solution, MongoDB.  He demanded a 0.2BTC ransom ($220) to return the data he exfiltrated from thousands of victim systems.  Older installations of MongoDB that were deployed via cloud hosting services in an insecure default configuration were attacked.  Most of the attacks happened on the AWS platform, although other cloud computing platforms were affected as well.

It seems that older versions of MongoDB were installed with open ports accessible to the Internet without a set administrator password.  The attacker took over these systems, then copied and exported the data in the databases.  Then he deleted the data, and replaced it with a ransom demand. This exploit did not need a phishing approach or a malware installation.  The attack just exploited poorly configured systems.

He probably used automated scanning tools to find systems running MongoDB, which may account for so many of the systems being on AWS.  The automated tool would run more quickly on a defined subnet.

Why did this happen?  AWS is a popular platform with DIY crowd, and many of they people may be experienced technicians in some aspect of their project, but they are not getting into the manual where there are instructions on how to set up an administrative account with a proper password.

If you are running a MongoDB server, and have not been hacked yet, it probably means you set up a proper administrative account, and have your system secured in other ways as well.  But it is worth a look to check and be sure.  And if you are not doing some sort of backup of your system and database, that is the next item on your to do list.  And read the manual for crying out loud!

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.