News of a massive ransom campaign against MongoDB is raising significant alarms.

While extortion is not new as a criminal act, the unique ways it is being applied to technology and the evolution of ransomware into broader, more impactful campaigns is a new phenomenon.

In the case of MongoDB, originally a lone hacker began aggressively compromising, copying and ultimately, deleting data to the launch extortion attempts against the victims.

What started as only a few hundred servers is continuing to multiply. The threat has now expanded to impact approximately 28,000 MongoDB servers, and the number seems to be climbing.  When a public vulnerability like this is released, other actors jump in to take advantage. The initial perpetrator isn’t the only one involved. And, many of the servers first taken over by the original hacker has opened the door for an onslaught of copycats.

These developments are especially concerning because it’s unclear if the compromised data is being backed up by the criminals prior to deletion, so paying off the ransom might be fruitless.

An act such of this suggests that the concept of taking data ransom is escalating beyond simple host based malware and has made its way into servers and databases, which creates a slew of challenges that could cripple an organization.

Complacency is a huge risk for system admins, and in this situation, there is a silver lining. Because this incident is primarily caused by a configuration shortfall a remedy is possible if swift action is taken.

It’s important to consider the following:

  • Regular audits of configurations are essential, the old mantra of if its isn’t broken, don’t fix it needs to go away. Organizations can audit their settings to make sure it complies with security standards and notice without bringing their system offline
  • Enforce strong authentication, if a system admin is able to login to a database that is critical to the organization without credentials, that should be a huge red flag. That is essentially what occurred here. Remote admin access without creds, how did they go for so long without someone questioning the ability to log in without authenticating?

A ransom campaign of this size and scope that is being disseminated widely among hackers demonstrates the evolution of cybercrime.  We can expect to see more of these expansive campaigns that many criminals will view as a gold rush scenario to compromise until the good guys can catch up.

Ultimately, sound security hygiene from the user-level to the admin is the only way to safeguard against ransomware and ransom campaigns. Action to instill these best practices throughout an organization must be thorough and detailed. And, most importantly, everyone must be accountable to help thwart these fast-moving threats.