Princeton Universitybecame oneof the more than 27,000 entities that recently had their databases wiped by attackers who claimthat if victims payransom, they’ll get their data back. The attackers have been able to access and overwrite databases in MongoDB installations that were left open on Port 27017. With no login or authentication required, anyone can access the files, exfiltrate them, edit them to corrupt the data, or just delete them all. In these cases, the attackers are deleting the databases.
The attack on Princeton was first detected by DataBreaches.net on January 7, and confirmed by Victor Gevers, the ethical hacker and founder of GDI who has been responsible for thousands of notifications.
After the attack, the database was replaced with a database called PLEASE_READ that contained the ransom demand.
In this case, thereplacement database provided an email address of[emailprotected]and the following note:SEND 0.2 BTC TO THIS ADDRESS...(continued)