New ransomware tricks: MongoDB databases and UK schools among targets

MongoDB databases have been reportedly hit by at least eight organized crime groups[1], which managed to hack more than 27,000 servers. The attack targets insecure open databases that are not protected with a password. Reportedly, over 25% of all MongoDB systems have been hacked, including those belonging to healthcare, educational, and businesses organizations[2]. Once the attackers get into an open database, they export the contents of it and delete them from the database, leaving only a ransom note. Known names of ransom notes: CONTACTME, WARNING, PWNED_SECURE_YOUR_STUFF_SILLY, README_MISSING_DATABASES. According to information disclosed[3] by security researchers Niall Merrigan and Victor Gevers, attackers demand ransoms worth 0.1-1 Bitcoin, leaving their email address as the only way to contact them. Some crime gangs make fun of the victim, saying that the database was “publically accessible at port 27017 with no authentication (wtf were you thinking?),” while others do not provide a lot of details in the ransom note. According to Victor Gevers, hackers employed automatic scanning tools to discover the signature of unprotected MongoDB systems[4]. Victor Gevers also revealed that in some cases criminals simply erased all data without even making a copy of it on their servers, which means that they had no intention of helping the victim to recover it even if one agreed to pay the ransom. If you’re concerned about privacy of information stored on MongoDB, we suggest you read these tips.

UK schools and MongoDB databases among ransomware targets

Speaking about ransoms and databases, we want to warn all computer users of malevolent actors who are impersonating employees of the “Department for Education” (when in fact the real name of this institution is Department of Education) to infect UK school computer networks with ransomware. Scammers are cold calling educational institutions and posing as representatives of “Department for Education,” seeking to convince the victim to reveal the phone and email address of the head teacher[5]. In the case of success, criminals deliver an infectious .zip attachment to the provided email address. The ransomware that hides in that file encrypts files on the computer network and demands a ransom in exchange for data decryption software. The virus is known to demand up to 8,000 pounds as a ransom, although it is unknown whether culprits actually provide the data recovery tool after receiving the ransom payment.

These events should only remind computer users to follow safe browsing rules while exploring the world wide web. All information shared online must be secured with strong passwords, and suspicious-looking emails should be avoided. Scammers do their best trying to scam inexperienced computer users these days, so knowledge about the latest cyber trends is extremely important and should be enhanced perpetually. We highly advise you to read these ransomware prevention tips and also more about Locky virus, which is one of the top cyber threats nowadays.[6]

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions