Mongo Lock is a new attack that is aimed at MongoDB databases which have no protection and remote access left open. Mongo Lock is a ransomware threat, which wipes these databases and uses extortion tactics like any other ransomware to try and trick the victim parties to pay a ransom fee for supposedly recovering their files.
Mongo Lock and its Modus Operandi
MongoDB databases have been targeted in the past, so it is not surprising to see a new campaign targeting them. The ones standing behind the attacks either scan the World Wide Web or use services similar to Shodan.io to find MongoDB servers which are not secure. If the attackers connect successfully and get inside a server, they could export or delete databases and then leave a ransom note with instructions on how to allegedly restore those databases.
Bob Diachenko – the security researcher who first discovered this new Mongo Lock campaign shares that attackers will connect to an unprotected database and simply erase it. A new database called “Warning” with a collection inside it named “Readme” will be left in place of the old database. As one could guess, that Readme collection contains the ransom message which claims that the database has been encrypted and that the victims need to pay up if they want it restored. The recent Mongo Lock campaign does not reveal a Bitcoin address, but directs victims to contact the cybercriminals through an email address.
The ransom note of the Mongo Lock ransomware threat is displayed below:
The note states the following:
Your database was encrypted by ‘Mongo Lock’. if you want to decrypt your database, need to be pay us 0.1 BTC (Bitcoins), also don’t delete ‘Unique_KEY’ and save it to safe place, without that we cannot (Read more...)
*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | SensorsTechForum.com authored by Tsetso Mihailov. Read the original post at: https://sensorstechforum.com/mongo-lock-ransomware-deletes-vulnerable-mongodb-databases/