Some 2,000 MongoDB installations have been compromised by an attacker demanding administrators pay 0.2 bitcoins (US$206) to have lost data returned.

Victor Gevers (@0xDUDE), penetration tester and chairman of the GDI.foundation, noticed the attacks while reporting exposed non-password-protected MongoDB installations to owners.

One open server contained a ransom warning message in place of the database content Gevers expected. Rather than encrypt the data, the attacker, "harak1r1," ran a script that replaced the database's content with the ransom message.

So far 16 organisations appear to have paid harak1r1.

John Matherly, the brains behind security search engine Shodan, where many exposed MongoDBs can be found, has warned since 2015 of the dangers of exposed installations.

Back then he warned of some 30,000 exposed MongoDB instances open to the internet without access controls, a number that has since fallen to about 25,000, with version 2.4.9 being the most popular install.

Gevers told BleepingComputer old MongoDB instances were deployed to cloud services, saying a whopping 78 percent of Amazon Web Services hosts were running known-vulnerable versions of the platform.

Those old versions exposed databases to the internet, a problem that is fixed in the current releases.

Gevers says he is receiving requests for assistance from ransomed and exposed organisations, and recommends MongoDB administrators check logs and ensure unauthorised accounts have not been added. ®