View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 31, 2017updated 22 Feb 2017 4:48pm

Nearly 30,000 MongoDB servers held captive in ransomware attacks – and ElasticSearch is just as bad

An investigation by Rapid7 has revealed the huge number of captive servers following ransomware attacks on Internet databases.

By Ellie Burns

Ransomware has been hitting the headlines in early 2017, with high-profile attacks on MongoDB, ElasticSearch, Hadoop and CouchDB installations sweeping the internet. However, only now, has research revealed the true extent of the attacks.

Rapid7 ran a ‘devops-ish’ investigation using Project Sonar, the security firm’s security research project which runs internet-wide surveys across different services and protocols. Though some subnets choose to block Rapid7, the firm conducted a scan of internet subnets and found:

56,000 MongoDB servers
18,000 ElasticSearch servers
4,500 CouchDB servers

The investigation found that a huge 58% of ElasticSearch servers were held captive, with MongoDB racking up a similar number with 50% compromised. 10% of CouchDB servers were ransomed.

mongodb ransomwareelasticsearch ransomware

couchdb ransomwareA large percentage of the databases scanned were found to run in the cloud, a fact which was somewhat unsurprising and one which saw Amazon as the top hosting provider for all three databases. Explaining why attackers are targeting these databases, Bob Rudis, writing on the Rapid7 blog, said:

“The core reason why attackers are targeting devops-ish technologies is that most of these servers have a default configurations which have tended to be wide open (i.e. they listen on all IP addresses and have no authentication) to facilitate easy experimentation  exploration. Said configuration means you can give a new technology a test on your local workstation to see if you like the features or API but it also means that — if you’re not careful — you’ll be exposing real data to the world if you deploy them the same way on the internet.”

The security firm advises those running the databases to check configuration, ensuring that at the very least authentication is enabled and that rudimentary network security groups are configured to limit access. Rapid7 also advised the use of automation, seeing as most of the databases are deployed in the cloud.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

“It’s also wise to configure your development and testing environments the same way you do production (hey, you’re the one who wanted to play with devops-ian technologies so why not go full monty?),” said Rudis.

“You should also configure your monitoring services and vulnerability management program to identify and alert if your internet-facing systems are exposing an insecure configuration. Even the best shops make deployment mistakes on occasion.”


A possible 10,000 Hadoop Distributed File System installations were thought to be captive in previous reports – read more here

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.