Need help because your MongoDB installation was hit by ransomware?
For the past week, this site has been providing updates on previous coverage about a wave of ransomware attacks hitting misconfigured MongoDB installations. New instances continue to be detected by researchers on a daily basis. The attacks have shown no geographic or sector boundaries – any MongoDB installation indexed by Shodan.io that had or has Port 27017 open has been either wiped out by now or remains at risk. And by now, the number of wiped databases is more than 32,000.
That’s a lot of destroyed data, particularly if they were production databases and the entities had no recent backups.
If you are a victim who needs assistance or you aren’t sure whether to pay the ransom demand, or what to do, here are a few resources for you:
Read this article from MongoDB on how to secure your installation.
Contact Victor Gevers of GDI via Twitter (@0xDUDE) or Niall Merrigan of Capgemini via Twitter (@nmerrigan). They have been working quietly and discreetly to assist victims and my understanding is that they will not name you publicly or disclose your contacts with them.
Kromtech Security, associated with MacKeeper, is also offering some interesting assistance. If you don’t know what was actually in your now-wiped database, Kromtech may have a snapshot of your database that can help you determine what kind of records you had in there. From their announcement this morning:
MacKeeper Security Research Center is offering free support to companies hacked in a recent MongoDB takeover by providing copies of database snapshots / 15-records samples to those who didn’t have their own backups.
Our security reports contain 15-records txt-samples taken from (mostly large, more than 1GB, and of course unprotected, hosted in the US, Canada and Great Britain, with some small extent of other locations) databases, but sometimes even that can be helpful in assessing the sensitivity / origin of data and help companies and organizations make right decision.
We would only require that they contact us at [email protected] from a verified company or branded email address and provide an IP address on which database was hosted so we can identify both the owner and database.
DataBreaches.net has collaborated with Kromtech/MacKeeper numerous times over the past year. They have been quietly helping many firms by reaching out to them to let them know when they have found unsecured MongoDB installations, and more recently, leaky Rsync devices. Most of their “finds” are not reported on MacKeeper Security Research Center, and some of the situations they contact me about for notification assistance are never mentioned publicly on their site or this one.
If you’re struggling to recover from one of the MongoDB attacks, consider availing yourself of the free resources above.
And then, of course, make sure that you properly lock down your databases going forward. This site is already aware of one entity – unnamed – who as part of their recovery went ahead and repeated the misconfiguration that left their data at risk in the first place.
If you know of other free resources, please let me know via the Comments section below.