TL;DR
Exposed databases are found and attacked within hours. Attackers delete your data, leave a ransom note, and demand Bitcoin payment. Ransoms range from $500 to $50,000. Paying rarely works because most attackers do not actually save your data. Prevention is simple: never expose databases to the internet, always require authentication, and maintain backups.
~2 Hours Average time for exposed database to be discovered and attacked Source: Security researcher honeypot studies
How Database Ransoming Works
The attack pattern is automated and efficient:
- Scanning: Bots continuously scan the internet for open database ports (MongoDB 27017, Redis 6379, Elasticsearch 9200)
- Connection: Attacker connects to exposed database with no authentication
- Data exfiltration (sometimes): Some attackers copy data first; many do not bother
- Deletion: All collections/indices are dropped
- Ransom note: A new collection or document is created with ransom demands
A typical ransom note looks like this:
Warning: Most attackers do NOT actually backup your data. They simply delete it and leave a ransom note. Paying usually results in nothing. This has been confirmed by security researchers tracking these attacks.
Databases Most Commonly Targeted
| Database | Default Port | Why Targeted |
|---|---|---|
| MongoDB | 27017 | Historically no auth by default, very common |
| Redis | 6379 | No auth by default, often contains session data |
| Elasticsearch | 9200 | REST API makes it easy to attack, valuable logs |
| CouchDB | 5984 | HTTP API, often misconfigured |
| Cassandra | 9042 | Less common but still scanned |
Total Cost of Database Ransom Attack
Prevention: The Basics
Never Expose Databases to the Internet
Databases should only be accessible from your application servers, not the public internet. Use private networks, VPCs, and firewall rules to restrict access.
Always Require Authentication
Even on private networks, always enable authentication. Modern versions of most databases require authentication by default, but older versions and some configurations do not.
Use Strong Credentials
Do not use default usernames or weak passwords. Use long, random passwords stored in secrets management systems.
Maintain Regular Backups
Automated backups are your safety net. Test restoration regularly. Store backups in a separate location that cannot be accessed with the same credentials.
Quick check: Can you connect to your production database from your laptop without VPN? If yes, attackers can too. Fix this immediately.
What to Do If Your Database Is Ransomed
- Do not panic: Panicked decisions are usually wrong decisions
- Do not pay immediately: Attackers usually do not have your data
- Check backups: Identify your most recent backup and verify it works
- Secure the database: Close the public access, enable authentication
- Restore from backup: Restore to a secured database instance
- Assess data exposure: Determine if attackers copied data before deleting
- Notify if required: If personal data was exposed, legal notification may be required
Last resort: If you have no backups and the data is critical to your business, you may consider paying, but understand that success rates are very low (under 20% by most estimates). Some attackers run scams where they never had your data at all.
How quickly are exposed databases ransomed?
Exposed databases are typically found and attacked within hours. Automated bots continuously scan the internet for open MongoDB, Redis, Elasticsearch, and other database ports. Once found, attackers copy or delete your data and leave a ransom note demanding Bitcoin payment.
Should I pay the database ransom?
Paying is generally not recommended. Many attackers do not actually save your data and cannot restore it even if you pay. Some victims pay and receive nothing. If you have backups, restore from backup. If you do not have backups, paying may be your only option but has low success rates.
How much do database ransoms cost?
Database ransoms typically range from $500 to $5,000 for small databases, scaling up to $50,000+ for larger datasets or businesses perceived as having more resources. The ransom amount is often calibrated based on the apparent value of the data found.
How do I know if my database is exposed?
Check if your database port is accessible from outside your network. Use security scanning tools, or try connecting from a network outside your infrastructure. Services like Shodan index exposed databases and can show you if yours is visible. Our scanner also checks for this.
Check Your Database Security
Our scanner detects exposed databases and other security issues before attackers find them.
Start Free Scan