Automated Ransom Attacks Target Exposed MongoDB Instances A threat actor is conducting automated data extortion attacks against misconfigured MongoDB databases, compromising around 1,400 exposed servers and demanding ransoms of approximately $500 in Bitcoin to restore deleted data. These attacks, reminiscent of a surge in similar incidents prior to 2021, exploit poorly secured instances with unrestricted access. Researchers at Flare identified 208,500 publicly exposed MongoDB servers, with 3,100 accessible without authentication. Nearly 46% of these unsecured databases had already been wiped and replaced with ransom notes, most demanding 0.005 BTC (≈$500–600) within 48 hours. Analysis revealed that 98% of ransom notes used the same Bitcoin wallet address, suggesting a single attacker behind the campaign. While the threat actor claims to restore data upon payment, there is no guarantee they retain the information or will provide decryption keys. Beyond authentication flaws, nearly 95,000 exposed instances were found running outdated MongoDB versions vulnerable to known exploits, though most flaws were limited to denial-of-service rather than remote code execution. Despite the high number of exposed servers, some may have already been targeted and paid ransoms, explaining why they remained uncompromised during Flare’s investigation. The findings underscore the risks of improperly secured MongoDB deployments, particularly those left publicly accessible without strong authentication or network restrictions.