Despite being a well-known threat vector for years, unsecured MongoDB database servers remain a ripe target for cybercriminals who scan, compromise and extort poorly configured instances exposed on the internet. Recent analysis from security researchers confirms that attackers are continuing these data extortion campaigns, focusing on the easiest targets and demanding small ransoms to “restore” wiped data.

At the core of this threat are MongoDB servers that allow unrestricted access — often due to misconfigurations such as open ports, lack of authentication, or outdated software versions. These insecure configurations act like an invitation for automated attack bots that continuously crawl the internet looking for vulnerable database instances.

How These Extortion Attacks Work

The attack pattern seen today is a variation on the classic “MongoDB ransomware” campaigns that peaked between 2017 and 2021, when tens of thousands of insecure servers were hijacked, wiped, or held for ransom.

Here’s what happens step by step:

1. Discovery: Automated scripts systematically scan IP ranges and port blocks searching for MongoDB servers that are exposed without access controls — meaning they don’t require a username, password, or other authentication.
2. Compromise: Once a vulnerable instance is found, the attacker connects to the database. In many cases, they can immediately read, write, or delete data because no security mechanisms are enabled.
3. Wiping or Export: Often the attacker will wipe the database entirely — dropping all collections — or in some cases, make illicit copies of data.
4. Planting a Ransom Note: The intruder leaves behind a ransom message in the database, typically in a new collection. These notes demand payment — frequently around 0.005 Bitcoin (equivalent today to roughly $500-$600 USD) — to a specified wallet, promising to “restore” the data for victims who pay.
5. Low Barrier to Entry: The attacker does not need advanced tools or zero-day exploits. These campaigns run cheaply and effectively because they exploit misconfigured infrastructure, not software vulnerabilities.

Security company Flare’s research recently found more than 208,500 publicly exposed MongoDB servers — of which roughly 100,000 are disclosing operational details, and at least 3,100 are accessible without any authentication. Of these unauthenticated instances, nearly 46 % were already compromised and left with ransom demands.

Interestingly, investigators identified only five distinct Bitcoin wallet addresses used in these ransom notes, with one particular address appearing in about 98 % of cases. This suggests that a single threat actor — or a tightly coordinated group — is behind the bulk of these campaigns.

Why This Threat Persists

You might think that after years of high-profile reporting and security guidance, such extortion campaigns would have faded away. However, they persist for several reasons:

• Misconfigurations remain rampant. Many development tutorials, cloud deployment examples, and container images promote default settings that enable access without credentials.
• Outdated versions increase risk. Nearly half of exposed MongoDB servers were running older versions that are susceptible to known n-day (non-zero-day) vulnerabilities, even if they don’t enable full remote code execution.
• Automation makes it easy. A wide ecosystem of scanning tools and bots means exposed instances are discovered and attacked within minutes of being set up.

Lessons for Database Administrators

Experts are urging organizations that rely on MongoDB — whether on self-managed servers or containerized infrastructure — to adopt these security best practices:

• Never expose MongoDB directly to the internet without strong authentication and network access controls. Use firewall rules, VPNs, or private subnets to limit access.
• Enable authentication and role-based access control (RBAC) to ensure only authorized users can access sensitive data.
• Keep software up to date. Running the latest MongoDB releases reduces risk from known vulnerabilities and improves overall security posture.
• Monitor logs and network traffic for signs of unauthorized access or configuration drift.

Importantly, security professionals also strongly advise against paying ransoms, as there’s no guarantee that attackers genuinely possess usable backups or will restore data after payment.

A Familiar Yet Ongoing Threat

While the scale of these campaigns today may be smaller compared to earlier waves, the underlying pattern illustrates a broader and persistent issue: poorly configured infrastructure remains one of the most exploitable weak points in cybersecurity. As long as unsecured database servers continue to exist on the open internet, automated extortion actors will find and exploit them for profit.