Overview
- Flare reports that 1,416 of 3,100 internet-accessible MongoDB instances without authentication were wiped and replaced with ransom notes.
- The scan identified more than 208,500 publicly discoverable MongoDB servers, with over 100,000 leaking operational details.
- Most notes demanded about 0.005 BTC within 48 hours, and five wallets were observed with one address appearing in roughly 98% of cases, indicating a likely single actor.
- Blockchain checks show the primary wallet has received around $400 to date, suggesting limited returns from the campaign.
- Flare warns that misconfiguration is the primary risk despite about 95,000 instances running older versions, and it recommends removing public exposure, enforcing strong authentication and network policies, updating software, rotating credentials, and reviewing logs.