Unistellar attackers have already wiped roughly 12,000 unsecured MongoDB databases exposed online

over the past three.

Every time hackers deleted a MongoDB database they left a message asking the administrators to contact them to restore the data.

Unfortunately, the criminal practice of deleting MongoDB databases and request a ransom to restore data is common, experts observed several campaigns targeting unsecured archive exposed online.

In the last wave of attacks, crooks don’t request the payment of a specific ransom amount, instead, they provide an email contact to start a negotiation.

Bleeping Computer first reported the attacks and cited the expert Sanyam Jain as the person that discovered the deleted MongoDB databases.

“this person might be charging money in cryptocurrency according to the sensitiveness of the database.” explained Jain.

The expert discovered 12,564 unprotected MongoDB DBs that were wiped by an attacker tracked as Unistellar, he searched the text “hacked_by_unistellar” that the attacker left in the message.

Making the same search on Shodan experts at BleepingComputer found a smaller number, 7,656 databases, while doing the same search I found 8.133 compromised installs exposed online.

It is likely the attacker has automated its attacks chain due to the lange number of MongoDB databases deleted by Unistellar.

Jain first discovered the attacks on April 24, the note left by the Unistellar attacker reads “Restore ? Contact : unistellar@yandex.com

The attacker used two email addresses in these attacks, unistellar@hotmail.com or unistellar@yandex.com.

According to Jain, Unistellar creates restore points to restore the databases after the victims have paid the ransom.

If you manage a MongoDB instance follow the guidelines on “how to secure a MongoDB database”



If you appreciate my effort in spreading cybersecurity awareness, please vote for Security Affairs in the section “Your Vote for the Best EU Security Tweeter”

Thank you



Pierluigi Paganini