A widespread ransomware campaign targeting misconfigured MongoDB databases continues to compromise thousands of servers worldwide, with attackers exploiting internet-exposed instances that lack basic authentication controls This article explores vulnerability mongodb ransomware. . Recent research reveals that opportunistic threat actors are leveraging automated scripts to wipe databases and demand Bitcoin ransoms, turning configuration negligence into a scalable extortion operation.

After Years of Silence, an Attack Resurfaces Between 2017 and 2021, MongoDB ransomware campaigns affected thousands of organizations globally. Even though there was less public reporting in the years that followed, new research shows that the threat persisted. In late 2025, security researchers deployed honeypot infrastructure exposing MongoDB instances without authentication across multiple geolocations. Ransom notes demanding roughly $500 USD in Bitcoin were sent to all honeypot servers within days, indicating that the attack pattern is still active and automated.

The resurgence was further highlighted by penetration testing that revealed two compromised MongoDB instances at a small-to-medium-sized business, both containing ransom notes. Further research revealed evidence of persistent insecure deployment practices in infrastructure templates, container images, and tutorials. Internet-exposed databases that are deployed without authentication are a critical vulnerability that the MongoDB ransomware campaign takes advantage of.

Automated scanning finds MongoDB services that are accepting connections from any IP address and are listening on port 27017. Threat actors then carry out a simple four-step procedure: they use mass internet scanning to find vulnerable MongoDB instances, export or copy database contents to their own systems, erase all collections and databases on the victim server, and then insert a new collection with a ransom note demanding payment in Bitcoin within 48 hours.

A search for exposed MongoDB configurations with Flare Security experts strongly advise against paying ransoms. Because attackers frequently never kept copies of the stolen data, recovery is impossible regardless of payment, and victims who complied frequently reported receiving nothing in return. More than 200,000 publicly discoverable MongoDB servers were found through analysis using Shodan, an internet-connected device search engine.

A Flare search for leaked MongoDB credentials Of these, 3,100 servers were completely exposed with no access limitations or authentication requirements, and over 100,000 instances revealed operational information.

Metric Count Percentage Total MongoDB servers discovered 200,000+ – Servers with operational information 100,000+ – Fully exposed instances (no authentication) 3,100 100% Compromised instances (wiped with ransom) 1,416 45.6% Servers with at least one vulnerability 95,000 46.3% 1,416 of the 3,100 fully exposed servers had already been compromised; ransom notes had taken the place of deleted databases. Almost every incident required about $500 USD in Bitcoin. Remarkably, a single wallet address was found in more than 98% of attacks, indicating a single dominant threat actor.

Only five different Bitcoin wallets were found in all attacks. The campaign's revenue could vary from zero to roughly $842,000 USD, even if only a portion of the ransom demands were paid.

Threat intelligence gathering revealed active MongoDB ransom tutorials circulating on dark web forums and Tor websites. One tutorial discovered in 2025 explicitly marketed the attack method as requiring no technical expertise, claiming attackers could “pull in steady cash every day” by targeting exposed databases. Security researchers identified 763 container images on Docker Hub and GitHub containing insecure MongoDB configurations that bind the database to all network interfaces without authentication.

These images spanned 30 distinct namespaces, with two widely-used projects each exceeding 15,000 pulls. By using copy-paste deployment techniques, this distribution mechanism allows insecure configurations to spread quickly. Additionally, searches for exposed MongoDB credentials turned up about 8,954 verified functional credentials that hackers could use in breach databases, dark web forums, paste sites, and coding repositories.

Organizations must implement network segmentation, enforce strong authentication, and regularly audit database configurations to mitigate this persistent threat.