I've aquired the portion of the log related to the hostage taking, posted below. In particular this log shows that __no__ backup of the data was taken. So please don't pay any money!

------------------------------------------

Although my colleagues and I have already pointed out the issue of open-by-default databases in spring 2015 (look at the references), today it seems for the astonishingly first(?) time somebody took the opportunity to erase hundreds of MongoDBs leaving only this Message:

{ "_id" : ObjectId("5859a0370b8e49f123fcc7da"), "mail" : "[email protected]", "note" : "SEND 0.2 BTC TO THIS ADDRESS 13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq AND CONTACT THIS EMAIL WITH YOUR IP OF YOUR SERVER TO RECOVER YOUR DATABASE !" }

Well played, system admins.

Updates:

The price for the data seems to equate to about 200 USD currently. Thanks, wereHamster.

This has been going on since at least yesterday (https://twitter.com/achillean/status/816385533538631680). Thanks, NietTim.

There have already been transactions by presumed victims: https://bitref.com/13zaxGVjj9MNc2jyvDRhLyYpkCh323MsMq . Thanks, anondon.

Please read the official security checklist by MongoDB! In particular, use passwords and don't expose on all interfaces (duh!)! https://docs.mongodb.com/manual/administration/security-checklist/

Sources/References:

The Jan '15 info paper of which I am one of the authors: https://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf

(Jan '17) http://www.csoonline.com/article/3154190/security/exposed-mongodb-installs-being-erased-held-for-ransom.html

http://www.theregister.co.uk/2017/01/04/mongodb_installs_wiped_by_bitcoin_ransoming_script/

(German) https://www.heise.de/newsticker/meldung/Eindringling-nimmt-offenbar-MongoDB-Datenbanken-als-Geisel-3587479.html