Every time hackers deleted a MongoDB database they left a message asking the administrators to contact them to restore the data.
Unfortunately, the criminal practice of deleting MongoDB databases and request a ransom to restore data is common, experts observed several campaigns targeting unsecured archive exposed online.
In the last wave of attacks, crooks don’t request the payment of a specific ransom amount, instead, they provide an email contact to start a negotiation.
“this person might be charging money in
The expert discovered 12,564 unprotected MongoDB DBs that were wiped by an attacker tracked as Unistellar, he searched the text “hacked_by_unistellar” that the attacker left in the message.
Making the same search on Shodan experts at
It is likely the attacker has automated its attacks chain due to the lange number of MongoDB databases deleted by Unistellar.
Jain first discovered the attacks on April 24, the note left by the Unistellar attacker reads “Restore ? Contact : email@example.com
The attacker used two email addresses in these attacks, firstname.lastname@example.org or email@example.com.
According to Jain, Unistellar creates restore points to restore the databases after the victims have paid the ransom.
If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database”
If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”