It was a normal Sunday morning when I received a call from my friend, desperately requesting my help for a problem that he was having. When I asked him what the situation was, he told me that his system had stopped working and he would love for me to take a look and see if I could find the problem.

As he was speaking to me, I thought to myself, “I know he is using Mongo as his DB, can it be? Nah, what’s the chances!?”. Soon after checking I noticed his Mongo was being held under ransom. “Let the fun begin” I thought to myself.

The data was replaced with this message.

He gave me access to his server and I started investigating. I found that he was not only hacked once, but three times (yes, the hackers were hacking themselves 🙄)!

First hack, deleted all the database’s (Jan 7th 2017)

Second hack, deleted the hackers “PLEASE_READ” database and added another one (Jan 8th 2017)

Third hack, hackers once again delete their own DB and hack it again (Jan 10 2017)

The first weird thing I noticed while checking the logs was that one of the database’s stayed even after being dumped. Wait what? Mongo Journal! Mongo logs the state it is in with something called a journal. This is a log of the state the DB is in.

I still was not 100% sure what this journal is and what it does but from what I understood there might be a chance that the DB still exists! Me being excited I found that running the DB with the journal flag should resume the state the DB was in. All I can think to myself was “yes! Go suck it hackers!”.

Yeah that did not work, in fact it deleted the journal file and there goes that. No more chance to save the DB. It’s time to pay the ransom or back away.

I would never tell anyone to pay the ransom but my friend really wanted to for the sake of curiosity so for the sake of curiosity I was in 💪🏻 .

The first step of the negotiation was asking him to prove he even has the data. All I saw from the logs was that he deleted the database’s, I wanted proof he still has them.

We sent him the following email:

Hello XXXX, you have our MongoDB under ransom. Do you mind sending us proof that you actually hold the data? I am sure we can work things out!

He asked for our Mongo’s IP and we sent it to him and we got back some proof:

Although there was no real proof there was data, the databases and collection were in the picture so maybe he does have something?

Okay so now we had to get our data back. We decided to try a little different approach 😉:

Guess what? That did not work. He was not scared. Okay so now what do we do!? I guess it’s time to pay the ransom. We asked him what the procedure is and he sent us the following:

Send 0.1 BTC to restore your data. After doing the payment you’ll recieve a gzip compressed db dump (download link). Bitcoin address: hackers_bitcoin_address

Okay cool cool, we had some left over bitcoins lying around and so we sent the payment and let him know:

We sent the Blockchain record of the transaction as well as the IP so he can release our data

After a few hours of no response we sent another message:

Hi XXXX, Please refer to my email earlier today. Can you please provide me with a the link to the restored data? Thanks in advance

This was the last message that we sent on January 10th. Ever since we have not gotten any response and only learned our lesson.

Back up all your data because when you do get hacked and your data is held ransom, and you are never getting it back.

Follow me at https://twitter.com/AviWolicki