A hacker that uploaded ransom notes on nearly 23,000 MongoDB databases left exposed online without passwords has given his potential victims until tomorrow to pay a $140 ransom, or possibly report the breach to local GDPR authorities.

According to recent ZDNet story, the hacker used an automated script to scan for misconfigured MongoDB databases, effectively wiping the content. The hacker then left a ransom note asking for the payment.

The miscreant threatened to report the breach to the local GDPR authorities within two days if they refused to pay up in two days – on July 3.

James McQuiggan, security awareness advocate at KnowBe4, said

it’s bad enough the victims lost data. Now, an organization has to pay to get the decryption key from the cyber criminals and possibly would need to pay again not to have it leaked to the public.

“Adding to this challenging incident is the threat of the data and information going to the authorities,” McQuiggan said. “Organizations familiar with the GDPR realize the fines can be a substantial sum of money and could be detrimental to their profits and possibly loss of reputation with their shareholders. If someone else informs the supervisory authorities, it could cost the organization a significant amount of money versus them just reporting it themselves.”

Brandon Hoffman, CISO at Netenrich, said while there may be some altruistic component of this attack, based on previous activity from similar attacks (not against MongoDB), Hoffman views the GDPR tactic as an extension of the threat.

“The rise in extortion tactics to get the ransom paid, in my mind, makes it clear that it’s simply another technique in the same playbook,” Hoffman said. “Were this truly a hacktivism related threat, there would be some other clear motivation tied to a political or social movement and almost certainly there wouldn’t be such an easy out — $140 — from the backlash these companies would receive from GDPR.”

 Andrew Barratt, head of investigations at Coalfire, said this wasn’t altruism, it was naivety.

“The intruder was incredibly naïve to think they can extort a company with a regulatory disclosure from their criminal attack,” Barratt said. “Imagine a car thief stealing your car, then threaten they’ll call your insurance company to tell them  ‘hey – the locks were not on the insurer approved list.’”  

Barratt said it’s clearly a commercial hack. With such a small dollar value, he said the hacker hopes people will just simply pay the ransom.

“Disclosure to the appropriate supervisory authorities is also an incredibly high- risk maneuver for the criminal with the possibility of being discovered,” Barratt said. “Assuming 23,000 don’t pay out – reporting to the authorities would require a significant amount of effort. It would require the intruder to confirm which data protection authority in Europe is the one the business identified as their reporting body. It’s a fairly big lift to do that correctly when you’re doing it for your own purposes – but imagine doing it for all 23,000 entities.” 

Barratt said here’s a snapshot of what the hacker would have to turn over to all the various authorities, assuming he could figure that out:

A description of the nature of the personal data breach including, where possible:

  • The categories and approximate number of individuals concerned;
  •  The categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer (if your organization has one) or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach;
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

“I’d say it’s not just a hollow threat, but mostly an inert one,” Barratt said. “Their biggest actual threat is making the data inaccessible for a while and hoping the hacked entity doesn’t have a good backup.”