Ransomware targeting MongoDB databases threatens to report victims for GDPR breach

An unknown hacker has targeted 22,900 MongoDB databases in a ransomware attack that threatens to report victims to authorities for breaching the European Union General Data Protection Regulation if they don’t pay up.

This article first appeared on Silicon Angle.

The attack, discovered Wednesday by security research Victor Gevers at the Dutch Institute for Vulnerability Disclosure, was first detected in April. According to ZDNet, the hackers use automated scripts to search the internet for connected MongoDB installations with no password set. The script deletes the contents of the database, then leaves a ransom note demanding payment of 0.015 bitcoin ($137) for the return of the stolen data within 48 hours.

“In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe,” the ransom note reads in somewhat broken English. “Under the rules of the law, you face a heavy fine or arrest.”

Ransomware attacks are a dime a dozen, but the scope of this attack is notable, since according to Gevers the 22,900 MongoDB databases successfully targeted account for about 47% of all MongoDB databases accessible online.

“The threat to contact GDPR authorities is an interesting new dimension in the ransomware saga,”  Chris Rothe, co-founder and chief product officer of threat detection firm Red Canary Inc., told SiliconANGLE today. “Attackers continue to look for ways to multiply leverage. In recent years, ransomware actors have added confidentiality attacks (threats to expose sensitive data) to availability attacks (making systems or data inoperable) in order to increase the probability and size of ransom payment. Adding the threat of regulatory fines is a third dimension to generate leverage.”

Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, thinks governments should create special agencies or law enforcement teams to crawl and monitor the internet for such leaks in their jurisdictions.

“Once detected, legal action should be taken against the company behind the leak and all costs of the monitoring and investigation should likewise be imposed on the guilty company,” he said. “Organizations, on their side, should urgently implement continuous attack surface monitoring and implement a well-though third-party risk management program.”