All You Can Delete MongoDB Buffet

Simon Tame | 12 January 2017

A number of extortion actors were detected accessing unauthenticated MongoDB installations and replacing their contents with a ransom note, usually containing an email and Bitcoin address and the usual "we have your data" message. The earliest activity we observed was from December 20, 2016 at which time there appeared to be only one actor conducting the activity using the nickname "harak1r1". Since then, the number of actors involved (or at least the number of unique identifiers) increased – on January 10, 2017, that number was at 11. Approximately half of these actors had received ransom payments (between 0.2 BTC and 0.5 BTC) based on the transactions made into their Bitcoin addresses. Their overall earnings were relatively low, with the highest at around $7,962 USD.  This isn’t bad considering the low capability, low amount of resourcing required and the short duration of the activity. When last checked, the reported number of affected instances was between 27,000 and 28,000.

On January 6, we set up a honeypot running a MongoDB installation without authentication. At some point over the following weekend it was ransomed, with the given email kraken0[at]india[.]com). The time between establishing this honeypot and a ransom note appearing, coupled with the reported number of infected installations over a couple of days, showed the pace at which this activity was occurring.

 

Ransom demand honeypot 

Fig 1 – A screenshot of the ransomware demand from our honeypot 

On January 11, a Pastebin post by an actor purporting to be "kraken0" uploaded an advertisement for "MongoDB ransomware" to the text sharing site Pastebin (see Fig 2). The advertisement for this purported ransomware suggested it was written in the c# coding language. The author of the post claimed the script could handle "1,000 IPs per second" and that this could be higher with the necessary infrastructure. The author claimed the CPU load of the script was low but that RAM was important if the operator was using a large list of IPs. A list of IPs was purportedly included in the source code.

 

Kraken for sale 

Fig 2: A Pastebin post from January 11, 2017 

Overall, the package offered included the "kraken" source code, 100,000 IP lists with open MongoDB installations and a mass MongoDB scanner. This was offered for $200 USD in Bitcoin and could be purchased via contacting the actor's email address. We previously assessed it as almost certain at least some of the actors involved were using automated scripts to scan for Internet-facing, unauthenticated MongoDB installations, following which the contents would be replaced with a ransom note containing actor identifiers.

At the time of writing the identifiers associated with the "kraken0" actor were independently reported to have been discovered on 21,642 open MongoDB installations. Research into the Bitcoin addresses associated with the actor showed they had received a total of $7,962 USD spanning 95 transactions since January 7. The actor had withdrawn all of these funds from the address as at January 11. It was not confirmed if all of these transactions were ransom payments.

While we have not detected enough evidence to judge whether this was a genuine offering at the time of writing, the use of an automated script to identify open MongoDB installations is consistent with our previous assessments on this extortion activity. Some of the capabilities described by the actor were within the realms of possibility and, should they be genuine, provide some explanation as to the number of MongoDB installations the actor has managed to affect when compared to other actors conducting similar extortion attempts. However, the claims around the CPU load of the script and the contents of the offering could not be judged. The actor kraken0 has demonstrably received ransom payments from at least some of the affected victims, and if this is a genuine offering it would suggest the actor is likely intending on discontinuing their extortion activity and instead attempting to sell their tools.

We had previously assessed that the number of actors conducting the extortion activity would cause overlapping extortion attempts and reduce the viability of this method over time. This offering is a possible indication the actor kraken0 had decided the tactic they were using was no longer profitable or viable, or that the actor was attempting to take the ransoms they had received and disappear. It is considered less likely the actor intended to continue their activity after selling their tooling, as this had the potential to create unnecessary competition for a method that had been lucrative.