If you think that cyber criminals do not care about your MongoDB database, think again. MongoLock Ransomware is an infection that was created for the sole purpose of wiping MongoDB databases and making their owners suffer. Even though the attackers make it seem as if there is a solution to the problem, the reality is a little bit different. According to the attackers, the data stored on the database has been secretly downloaded and backed up on a remote server, and now you have to pay money to get it all back. The reality, according to our research team, is that your database has been wiped, and there is no proof that any of the data has been backed up. Of course, you are the one who has to make a decision regarding your final move, but we do not recommend paying the ransom because it is unlikely to solve your problem. More likely than not, the only thing you can do is delete MongoLock Ransomware, and although that will not restore your files, the removal of active malware is always important.
It appears that MongoLock Ransomware discovers its victims by scanning the web, which can be done using malicious software. The purpose here is to find databases that are vulnerable and can be easily accessed from a remote location, so that the criminal could attack silently. According to our research team, the attacker uses malicious script to delete the database first. The deleted database is replaced with a new one called “Warning.” The malware payload is then dropped and files are uploaded to a C&C server (104.27.179.191 s.rapid7.xyz). The infection also executes commands to remove files from Desktop, Documents, Music, Recent, and Videos directories. After that, a file called “Warning.txt” is dropped to multiple directories, including the ones in which files were removed. Although the file is safe to open, you have to be very careful about how you handle the information inside. After all, the attackers are using this TXT file only to convince you to act in the way they want you to act. In this situation, needless to say, they are all about getting your money.
According to the MongoLock Ransomware ransom note, there is a specific sum of money that can help you buy your data back. The message informs that all data is backed up and can be restored once the ransom is paid. It must be paid In Bitcoin and transferred to one of the Bitcoin wallets that are revealed. Our research team has seen different versions of the ransom note, and while they are all identical, they replace the sum of the ransom, the Bitcoin wallet address to which it must be sent, as well as the email address that is used for communication. The ransom might range from 0.1 Bitcoin to 0.6 Bitcoin (~530-3200 US Dollars) or even more. The two Bitcoin addresses that we have seen attackers using include 1NrZsNppQqXNiYnu34MPo6K2sHYyMPjR4h and 3FAVraz3ovC1pz4frGRH6XXCuqPSWeh3UH, and the email addresses include unlockandrecover@pm.me and dbbackups@protonmail.com. Regardless of the details introduced to you, contacting the attackers and paying the ransom is not what we recommend. Instead, you should remove MongoLock Ransomware ransom note file and then move on to the removal of the threat itself.
While it is important that you remove MongoLock Ransomware from your Windows operating system as soon as possible, it is also important that you think about security measures that you could apply to ensure that similar attacks cannot occur in the future. This is why we strongly recommend employing trustworthy anti-malware software. It would automatically delete MongoLock Ransomware and other infections if they existed, and it would ensure that your system’s overall protection would be taken care of. This is something you need to think about even if you decide to eliminate the infection manually. Without a doubt, there are other things you should do to strengthen the security of your MongoDB database as well. You should specifically think about the encryption of data, access control, and access authentication. Just remember that as long as your server remains vulnerable, it will remain the target of cyber attackers.
# | File Name | File Size (Bytes) | File Hash |
---|---|---|---|
1 | 66b241c57647c99eecab5ca6a2b4997c5421339d8e174b6258cac74c8ac53703.exe | 282392 bytes | MD5: fa64390d7ffa4ee604dd944bbcf0bc09 |
# | Process Name | Process Filename | Main module size |
---|---|---|---|
1 | 66b241c57647c99eecab5ca6a2b4997c5421339d8e174b6258cac74c8ac53703.exe | 66b241c57647c99eecab5ca6a2b4997c5421339d8e174b6258cac74c8ac53703.exe | 282392 bytes |