Kraken Group Puts MongoDB Hijacking Script Up for Sale

  • January 11, 2017
  • 04:20 PM
  • 0


Almost nine days after attacks on MongoDB servers have ramped up, the number of ransacked databases has reached 32,380 hosts, and the number of groups involved in these attacks has grown to 21, after initially just one group had been involved.

Of these groups, the biggest and badest of them all is Kraken, a threat actor with some experience in cyber crime, after it had previously coded and attempted to distribute its own brand of ransomware.

The Kraken group got involved in attacks on January 6, and after two days it made nearly 16,000 victims and over $6,200.

Five days later after, the same group has now infected over 21,600 MongoDB instances, and according to its Bitcoin wallet, has made 9.8 Bitcoin (~$7,700).

MongoDB realty is slimming down

But there's so many MongoDB databases you can hijack. According to Shodan, there are around 50,000 MongoDB servers open to external connections, and according to ZoomEye, a similar search engine for Internet-connected services, there are around 100,000 MongoDB servers.

Not all of these have their administrative account exposed online without a password, and after almost two weeks of intense scans, the market has certainly plateaued.

The intense media coverage following Bleeping Computer's initial article has also helped database administrators secure their databases, or take notice that paying the ransom did not always mean they would have their data back.

Many of these groups didn't bother creating copies of the ransacked data, and almost all engaged in rewriting each other's ransom notes, meaning victims never knew who had their data, if someone bothered to export it.

Kraken selling MongoDB hijacking script for $200

Victims that wanted to pay have certainly paid until now. As such, it appears that the Kraken group is trying to monetize the last thing at its disposal, before the market collapses.

Below is an ad the Kraken group appears to have posted on PasteBin.

selling Kraken Mongodb ransomware c# source code

price: 200USD in bitcoins

This [EXPLETIVE] is very fast Multi-Threaded can handle 1000+ ips per second and way more if you got powerful 10GBs port
CPU load is very low, RAM is important if you have big ip list ( included with source code )

what you'll get :
* kraken source code
* 100,000 ip list with mongodb open
* mass mongodb scanner to scan the whole internet ip range for open mongodbs

contact: [REDACTED]

Kraken ad

The script was discovered by a security researcher that goes by the Twitter handle of @rem1nd_, who manages a service that scrapes PasteBin for threat intelligence.

Ever since the MongoDB attacks have started, the researcher has added terms related to these attacks to his scan engine. Today, he came across the ad above, in which the Kraken group is selling the source code of its scan & hijacking engine for a meager $200, paid in Bitcoin.

At this point, providing lesser skilled threat groups with top-shelf tools will mean bad news, as more actors will become active, and more databases will get wiped off the face of the Internet.

Companies affected left and right

In recent days, there have been numerous nightmare scenarios, where companies that did not have recent or any type of backups were left without a way to recover their data. highlights one of these cases, with Princeton University losing data stored on one of its MongoDB databases after a group hijacked its server.

Bob Diachenko of the MacKeeper Security Research Team also tells Bleeping Computer that these hijacking attacks have affected almost all the responsible disclosures the company was in the middle of.

"In general I can say that all of our previously reported and not secured MongoDBs are hijacked," Diachenko said via email.

For more than a year, the MacKeeper Security Team had been searching the Internet for open MongoDB databases, just like the crooks, but notifying companies and helping them secure their servers.

Since the attacks started, the company shifted from a privacy watchdog to providing free support to affected companies in any way it could.

"Our security reports contain 15-records txt-samples taken from (mostly large and of course unprotected) databases," the MacKeeper security expert said, "but sometimes even that can be helpful in assessing the sensitivity / origin of data and [help companies] make right decision."

Victor Gevers and Niall Merrigan, the two researchers who tracked these attacks since the beginning, have also previously told Bleeping Computer that they spend much of their time helping companies recover their data.

As it looks right now, the constant scanning would make it impossible to run a passwordless, Internet-available MongoDB database ever again. Webmasters that need to work with MongoDB on a regular basis are advised to read MongoDB Inc's official security guide, re-published last week, as the attacks started to escalate.

UPDATE: As of January 18, the ad was updated to include the script that also hijacks ElasticSearch servers.

Related Articles:

Hacker Say They Compromised ProtonMail. ProtonMail Says It's BS.

Millions of Voter Records Up for Sale Ahead of the US Midterm Elections

Vending Machine App Hacked for Unlimited Credit

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at For other contact methods, please visit Catalin's author page.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.


Remember Me
Sign in anonymously


Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.