The attack seems to exploit a well-known vulnerability detected back in 2015. The ransomware has targeted open servers running MongoDB instances, replacing the existing database with ransom message. According to a leading English media platform, the attack was discovered by Victor Gevers – an ethical hacker and chairman of GDI Foundation. Victor came across the attacks while he was in the process of finding and reporting non-password protected MongoDB installations to its respective users.
Most of the vulnerable databases are older versions of MongoDB installations which haven’t been updated for a long time. The number of installations, reportedly at 30,000 in 2015 has reduced by 5000 since 2015. The vulnerable versions of MongoDB were discovered by John Matherly, the creator of Shodan search engine.
The ransom of 0.2 BTC, which is worth close to $200 has already been paid by at least 16 companies affected by the malware. It is not sure whether those who paid the ransom got their data back or not.
Unlike conventional ransomware, the script used by “harak1r1” doesn’t encrypt the data, instead, it exports the database content to the malware creator/distributor and replaces the existing database with a ransom note. Since Victor made his findings public, he has received multiple requests from people affected by the malware. There are instances of those creating regular backups of their database avoiding ransom payment by restoring the latest backup after fixing vulnerability issues.
As advised in the past, it is a good practice to keep all the software updated to ensure the platform’s security and integrity. Businesses handling sensitive data should subject their IT infrastructure to a security audit and implement recommended changes without fail. And, maintaining regular backups will also drastically reduce the failure rate due to technical malfunctions and security breach.
Ref: The Register | Bleeping Computer | Image: NewsBTC