It took less than a week for criminals to drain virtually all publicly exposed MongoDB servers of their data, and now a second tier of opportunistic thieves is trying to walk off with the ransom.
When attackers initially deleted the data, sometimes terabytes at a time, they left ransom notes demanding payments in bitcoin.
+ ALSO ON NETWORK WORLD Be careful not to fall for these ransomware situations +
In the meantime, other thieves have come along to these still-insecure servers, deleted the initial ransom notes and left their own. And sometimes after that, another thief came along and deleted that note and left yet another.
“There’s a fluctuation and shift in which ransom note is being displayed on the server at any given minute,” says Zach Wikholm, a research developer at Flashpoint.
Not that it matters, he says. The likelihood that any victim of these thefts will ever get their data back is miniscule. It’s relatively easy to find the vulnerable servers, pull down the data and delete it, but to do that and to store it would require time and enormous amounts of storage, he says.
It’s highly unlikely the thieves made that kind of investment. Instead they deleted the data and demanded payment to restore it. “There’s no hope for those who were compromised,” he says.
It didn’t’ take a large group to commit these crimes. “Pulling this off is within the ability of one person,” says Allison Nixon, Flashpoint’s director of security research. “Now there are multiple bad actors for sure. Opportunists is a good word.”