An unknown cybercriminal has infiltrated 22,900 unsecured MongoDB databases, wiping their contents and leaving behind a ransom note demanding bitcoin in return for the data. If the ransom isn’t paid within two days, they threatened to notify authorities in charge of enforcing the European Union’s General Data Protection Regulation (GDPR).

According to ZDNet, which broke the story, the hacker is using automated scripts to scour the internet for MongoDB installations that face the internet with no password protection, deleting their contents, and asking for 0.015 bitcoins (some US$140) to return the data.

The cybercriminal was even “thoughtful” enough to provide a guide on how to purchase bitcoins. It seems that the bad actor is using multiple bitcoin wallets and email addresses, but the wording of the threat remains consistent. If the conditions aren’t met, they threaten to leak the data and contact GDPR regulators.

Victor Gevers, a security researcher at the GDI Foundation, pointed out that the first few attacks lacked the data-wiping feature. Once the miscreants realized the mistake in their script, they amended it and started wiping the MongoDB databases. Instances of attacks using this particular ransom note have been recorded all the way back to April of this year.

The researcher, whose responsibilities include reporting exposed servers, stated that he noticed the wiped systems while checking on MongoDB databases he was supposed to report so they could be secured. "Today, I could only report one data leak. Normally, I can do at least between 5 or 10," he added.

While the demanded ransom may seem like a paltry sum, multiply it by the number of unsecured databases and it turns out that the malicious actor is trying to extort almost US$3.2 million in total. Although it’s safe to say that far from each affected entity will give in to the demands, the threat of GDPR fines may convince some to pay, since the ransom pales in comparison to the enormous fines that can be handed down by regulatory authorities.

Unsecured and misconfigured databases can hardly be considered an uncommon occurrence. In one notable example, ethical hackers left “friendly warnings” in exposed Amazon S3 cloud storage databases.

Attacks that involve infiltrating and holding cloud databases for ransom have been around since at least 2016. If you’re a MongoDB database administrator who’d rather avoid dealing with such extortion attempts, you might want to check out this MongoDB security manual or thumb through our five general tips for keeping your databases secure.