Skip to main content

Mongo Lock Ransom Attack

Mongo Lock is a new campaign targeting unsecured MongoDB databases for ransom attacks

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Mongo Lock is a new campaign targeting unsecured MongoDB databases for ransom attacks


Threat details

The attackers behind the campaign are scanning the internet for publicly available and unprotected MongoDB databases.

Once connected, the attackers export all reachable databases before deleting them, and will then leave a new database called "Warning" with a collection inside it named "Readme", which contains the ransom note.


Remediation advice

To limit the damage of ransomware and enable recovery:
All critical data must be backed up, and these backups must be sufficiently protected/kept out of reach of ransomware.


Remediation steps

Type Step
  • Multiple backups should be created including at least one off-network backup (e.g. to tape).
    The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

Ensure that:

  • Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.
  • Network, proxy and firewall logs should be monitored for suspicious activity.
  • All operating systems, anti-virus and other security products are kept up-to-date.

Last edited: 14 December 2021 6:00 pm