An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. 

While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.

According to security researcher Bob Diachenko who discovered the new Mongo Lock campaign, the attackers will connect to an unprotected database and delete it. In its place, the attackers will leave a new database called “Warning” with a collection inside it named “Readme”.

Warning Database
Warning Database

The Readme collection will contain a ransom note that explains that the database has been encrypted and that the victims need to pay them a ransom to get it back. In the Mongo Lock campaign, as shown below, the attackers do not leave a bitcoin address, but rather direct the victim’s to contact them via email.

Readme Collection
Readme collection with ransom note (Click to enlarge)

The ransom note for the Mongo Lock attack reads:

Your database was encrypted by 'Mongo Lock'. if you want to decrypt your database, need to be pay us 0.1 BTC (Bitcoins), also don't delete 'Unique_KEY' and save it to safe place, without that we cannot help you. Send email to us: [email protected] for decryption service.

Other attacks will display the bitcoin…