Cybercriminals are once again targeting unsecured MongoDB databases but this time they are threatening to report the owners of those database for GDPR violations if their ransom demands are not met.
As reported by ZDNet, the hacker behind this new campaign has uploaded ransom notes on 22,900 MongoDB databases that were left exposed online without a password. They are using an automated script to scan for misconfigured MongoDB databases, wiping them and then demanding that a ransom of 0.015 bitcoin or around $140 be paid.
The campaign was first discovered by security researcher Victor Gevers at the Dutch Institute for Vulnerability Disclosure back in April.
After leaving the ransom note, the attacker gives victims two days to pay before they contact a victim’s local GDPR enforcement authority to report the data leak they caused in the first place.
Once the attacker gains access to a victim’s MongoDB server, they wipe the databases it contains and create a new database called “READ_ME_TO_RECOVER_YOUR_DATA”.
Inside the new database, there is a collection named “README” which contains a ransom note explaining the victim’s data has been “backed up” and that they must pay $140 to recover it, which reads:
“After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server!”
Based on preliminary analysis conducted by Gevers, he believes that the data was actually not backed up before the database was wiped.
While cybercriminals have targeted unsecured database servers in the past, this is the first time that they’ve used the threat of a GDPR violation against their victims to ensure that their ransom is paid.