Why Thousands of MongoDB Databases Were Wiped and Ransomed – What You Must Do

Background

Thousands of MongoDB databases exposed on the Internet have been wiped and replaced with ransom notes. Victims who pay rarely receive their data.

MongoDB Security Guidance

MongoDB provides enterprise‑grade security features. Most compromised instances lack proper hardening as described in the official production‑environment guide (authentication, role‑based access control, TLS/SSL, firewall restrictions, binding to localhost, etc.). Correct configuration can prevent unauthorized access.

Scale of Exposed Instances

Research indicates about 52 000 MongoDB servers are publicly reachable. The United States hosts the largest share, followed by China. Notable incidents include a 2016 Verizon breach that exposed ~1.5 million customer contacts via an unsecured MongoDB instance.

Shodan Findings

Typical Shodan queries return databases with default names such as local. Recent scans also list databases named readme, readnow, encrypted, and readplease, which often contain contact emails, Bitcoin addresses, and payment information.

Ransomware Campaign Impact

At least 29 000 previously public MongoDB databases have been deleted by extortionists. Victims who paid the ransom seldom received any files, making the scheme effectively a kidnapping without proof of data existence.

Mitigation Recommendations

Enable authentication and enforce role‑based access control.

Bind MongoDB to localhost or restrict network access with firewalls.

Use TLS/SSL for encrypted client‑server communication.

Regularly audit exposed ports and remove default credentials.

If a ransom demand is received, request “proof of life” (a sample of the deleted data) before considering payment.