MongoLock Ransomware

By GoldSparrow in Ransomware

Translate To:

The MongoLock Ransomware is a Trojan that was discovered in September 2018 and received a small update in December 2018. The cyber-threat received its name due to the profile of the victims it claimed. Threat actors scanned known MongoDB servers over the Internet and identified vulnerable systems. The actors proceeded to infect the targeted servers and wipe the hosted databases. System administrators received a simple text file called 'Warning.txt,' which was dropped as one of the main configuration files in the MongoDB structure. The 'Warning.txt' file was a ransom note informing the server administrators that they were compromised and the only way to get the lost data back was to transfer 0.1 Bitcoin (324 USD/285 EUR) to a set wallet address and write to the 'unlockandrecover@pm.me' email address. You should note that the MongoLock Ransomware behaves like a data wiper and it does not leave encrypted data on the infected servers. Servers operatives are greeted by empty and dysfunctional databases when they detect the intrusion from third parties.

The ransom note in 'Warning.txt' reads:

'Warning!
Your File and DataBase is downloaded and backed up on our secured servers. To recover your lost data : Send 0.1 BTC to our BitCoin Address and Contact us by eMail with your server IP Address and a Proof of Payment. Any eMail without your server IP Address and a Proof of Payment together will be ignored. We will drop the backup after 24 hours. You are welcome!
Mail:unlockandrecover@pm.me
BitCoin:1NrZsNppQqXNiYnu34MPo6K2sHYyMPjR4h'

The first and second waves of attacks are attributed to the same threat actors judging by the small changes to the core components of the program and the continued use of the 'unlockandrecover@pm.me' email account. Companies and regular users alike are advised to make sure that they have installed the latest version of MongoDB and have implemented a strong access Policy to minimize the risk of being infected with the MongoLock Ransomware. The threat at hand is known to wipe memory disks clean, and it is best to have offsite backups set up. AV companies refer to the attacks by the MongoLock Ransomware using the following security alerts:

HEUR/QVM11.1.A055.Malware.Gen
ML.Attribute.HighConfidence
Ransom.Cryptor/Variant
Trojan ( 0053ef601 )
Trojan-FQDP!7710604C5FF0
Trojan.Agent!uGf3fNXXHas
Trojan.Generic.D26BABE9
Trojan.Generic.csqhd
Trojan/Win32.FileCoder.R239529
W32/Generic.AC.429112
W32/Trojan.BPGO-5187
Win32:Trojan-gen
a variant of Win32/Filecoder.NSG

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

MongoLock Ransomware

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen