Cybercriminals once again target insecure MongoDB databases, but this time they threaten to sue the owners of these databases for GDPR violation if their ransom demands are not met. As reported by ZDNet, the hacker behind this new campaign downloaded ransom notes to 22.900 MongoDB databases that were exposed online without a password. They use an automated script to search for misconfigured MongoDB databases, wipe them, and then ask for a ransom of 0.015 bitcoin or around €140 to be paid. The campaign was first discovered by security researcher Victor Gevers at the Netherlands Institute for Vulnerability Disclosure in April. After dropping the ransom note, the attacker gives victims two days to pay before contacting the victim's local GDPR enforcement authority to report the data breach they caused in the first place.
GDPR violations
Once the attacker has accessed the victim's MongoDB server, he deletes the databases it contains and creates a new database called "READ_ME_TO_RECOVER_YOUR_DATA". Inside the new database, there is a collection called "README" containing a ransom note explaining that the victim's data has been "saved" and they have to pay €140 to get it back. which reads as follows: “After 48 hours of expiration, we will disclose and expose all of her data. In case of denial of payment, we will contact the General Data Protection Regulation, GDPR and notify them that you are storing user data in the open and that it is not secure. Under the rules of the law, you risk a serious fine or arrest and your basic download will be removed from our server. "Based on a preliminary analysis by Gevers, he believes that the data was not backed up until the database was wiped. While cybercriminals have targeted insecure database servers in the past, this is the first time who use the threat of a GDPR violation against their victims to ensure their ransom is paid.Via BleepingComputer