Hackers are ransoming 26,000 unsecured MongoDB databases, security researchers find

Included in the ransacked databases was three years of research data on leukemia patients.
By Jessica Davis
02:13 PM
Share
ransomware attack of MongoDB

MongoDB databases are being ransomed. Photo via Twitter

Three hacking groups are once again targeting MongoDB databases, hijacking 26,000 open servers and asking for a ransom to release the data, according to security researcher Victor Gevers, chairman of the GDI Foundation.

One of the hacking groups hijacked 22,000. And all groups are demanding about $650 to restore the data.

The initial attacks were first discovered by hackers in late 2016 and continued into early 2017. These attacks were simple for hackers to launch: They simply scanned the internet for MongoDB databases left open to external content, wiped the content and replaced data with a ransom demand.

[Register Now: Upcoming HIMSS Healthcare Security Forum]

Two healthcare organizations were part of these initial attacks.

MacKeeper Security Research Center discovered a misconfigured MongoDB database that contained data from over 200,000 patients and other sensitive information on Dec. 30, 2016. On Jan. 3, the firm confirmed this data was linked to Emory Brain Health Center.

And tens of thousands -- and possibly millions -- of Bronx-Lebanon Hospital Center’s patient records were exposed in a breach, due to a misconfigured rsync backup by its vendor. The database was located on a MongoDB server.

This new wave of attacks occurred over the weekend, and in total 45,000 databases were destroyed. Included among the latest victims was a database containing three years of leukemia patient data, which was used for research to improve treatments, Gevers told ZDNet.

Gevers also said that there are about 21,000 unsecured instances of MongoDB, and he estimates that 99 percent were ransacked.

After the initial attacks in January, MongoDB sent an advisory that explained how users should use security to prevent these types of breaches. But it appears some users did not get the message and are now falling victim to similar attacks.

Gevers did not respond to requests for comment by the time of publication.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com