New Mongolock ransomware deletes files

Walden Systems Geeks Corner Ransomware News New Mongolock ransomware deletes files accordion backup rutherford NJ New Jersey NYC New York North Bergen County
The Accordion system converts ordinary external HD into a NAS box and enables you to backup data using any usb based storage device whether it is RAID, SATA, ATA, IDE, SSD, or even CF-card. Accordion backup appliance is a self contained device that can utilize any external storage for backing up data. You can utilize existing excess storage on existing workstations or servers. You can use existing NAS storage or you can use any usb based storage device. Accordion is agnostic when it comes to where it backs up to or what technology is used for backup.

A new strain of MongoLock ransomware is being spread in a global attack. A 0.1 BTC ransom is demanded, even though file recovery may not be possible. The ransomware immediately deletes files and formats backup drives. MongoLock ransomware was first detected in January 2017. A major attack involving the ransomware was detected in September 2018 with the latest attacks having been ongoing since December 2018. The hackers are gaining access to unprotected or poorly protected MongoDB databases and are deleting data and replacing the databases with a new database. Inside the database is a file called readme that contains the ransom demand. Trend Micro examined more than 200 samples and found the highest number of infections in South Korea, Great Britain, the United States, Argentina, Canada, Germany, Taiwan and Hong Kong.

The hackers claim that the database has been exported before encrypting it. Victims are told to make a 0.1 BTC payment to a supplied Bitcoin wallet or contact the attackers via email. Many victims that have paid the ransom but there is no guarantee that data can be recovered. It is unclear whether the hackers are making a copy of the database or are simply deleting it. The attacks are automated and scripts are used to supposedly backup the database, delete the database and create the ransomware note. The script to backup the database may not work even if it is the intention of the hackers to obtain a copy of the database.


This new version of MongoLock ransomware also conducts a scan of local drives and deletes important data, including files saved to the Desktop, My Documents folder, Recent files, favorites, and any backup files that can be located. The drives are then formatted. This makes payment of the ransom all the more likely. Users are told that they only have 24 hours to make the payment before the database is permanently deleted. The file deletion script is executed after the files have been uploaded to the hackers' C2 server, so there is a possibility that the data can be recovered if the ransom payment is made. However, if the computer is taken offline, file deletion continues but no copy of the file will be obtained by the attackers.

To help protect yourself from ransomware attacks, always take a backup of your important data. You should consider a backup solution such as Accordion, where the backup drive is not accessible from potentially infected workstations. Use a backup solution where the backup device pulls the data to be backed up instead of the workstation pushing the data to the backup device. Other ways to help protect yourself is to avoid installing software from unauthorized sites and keeping your security software up to date.