Mass Database Extortion Campaign Targets Over 30,000 Systems
Severity: High (Score: 64.5)
Sources: Securityaffairs.Co, Feeds.Feedburner
Published: · Updated:
Keywords: damage, ransomware, economy, exposed, databases, database, extortion
Severity indicators: ransomware, rat
Summary
A five-year study revealed that 30,515 exposed databases were targeted by ransom attacks, leading to significant damage even without payments. The Ransomnews Research Team's analysis from May 2021 to May 2026 found that 46.3% of these databases contained ransom or wipe notes, affecting over 215 billion records. Despite the low payment rate, attackers utilized 514 unique bitcoin wallets, with 318 showing no transaction history. The study highlighted a shift from destructive attacks to extortion, emphasizing the need for enhanced security measures. Compromised systems included MongoDB and MySQL, which were almost universally affected when exposed. The total confirmed revenue from these attacks was approximately $753,000, indicating a lucrative but damaging trend in the ransomware economy. Key Points: • Over 30,000 databases targeted in ransom attacks over five years. • 46.3% of affected databases contained ransom or wipe notes. • Attackers shifted focus from data destruction to extortion for profit.
Detailed Analysis
**Impact** Over 30,000 exposed databases were targeted by ransom attacks between May 2021 and May 2026, affecting systems holding more than 215 billion records. The attacks caused significant damage through data theft, deletion, or ransom demands, despite a low victim payment rate. Exposed MongoDB and MySQL databases were compromised almost universally, impacting multiple sectors and geographies, though specific industries and locations were not detailed. Operational consequences include data loss and service disruption due to data wiping and extortion attempts. **Technical Details** Attackers exploited publicly exposed database ports, primarily targeting MongoDB and MySQL systems. The campaign involved ransom or wipe notes left on compromised systems, with 46.3% of 65,000 analyzed databases showing such indicators. No specific malware, CVEs, or tools were mentioned; however, the attackers shifted from destructive wiping to extortion-focused tactics. The presence of 514 unique attacker bitcoin wallets was noted, with most victims not paying. Indicators of compromise include ransom/wipe notes and exposed database ports. **Recommended Response** Immediately restrict public exposure of database ports and implement strong authentication and network segmentation to prevent unauthorized access. Monitor for ransom or wipe notes on database systems and review logs for unauthorized access attempts. Deploy detections for unusual database activity and block known attacker bitcoin wallet addresses where possible. No specific patches or CVEs were identified; focus on hardening configurations and continuous monitoring.
Source articles (2)
- The Hidden Ransomware Economy Running on Exposed Databases — Securityaffairs.Co · 2026-05-26
A 5-year study on the Ransomware Economy found that 30,515 exposed databases were hit by ransom attacks, causing massive damage despite victims never paying. Database extortion doesn’t look like the r… - Mass database extortion causes significant damage despite low payment rates — Feeds.Feedburner · 2026-05-27
As reported by Security Affairs, a five-year study on the ransomware economy has revealed that over 30,000 exposed databases were targeted by ransom attacks, resulting in substantial damage even when…
Timeline
- 2021-05-01 — Study on ransomware economy begins: The Ransomnews Research Team starts a five-year analysis of exposed databases and ransom attacks.
- 2026-05-26 — Study findings published: The Ransomnews Research Team reports on the impact of ransom attacks on over 30,000 databases.
- 2026-05-27 — Current damage assessment released: The study reveals significant damage from ransom attacks despite low payment rates, affecting over 215 billion records.
Related entities
- Ransomware (Attack Type)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- T1041 - Exfiltration Over C2 Channel (Mitre Attack)
- MongoDB (Platform)
- MySQL (Platform)