MongoLock Ransomware

The vicious MongoLock Ransomware has been created to attack unprotected MongoDB databases. If the threat is successful at detecting a vulnerable database, it can wipe it and then request money in return for the data to be recovered. Unfortunately, there is proof that some victims have been pushed into following the instructions of attackers as the Bitcoin wallets that are used for the collection of the ransom payments are not empty. Also, we have found two wallets, and it is possible that others exist too, and so it is basically impossible to know the true scale of the attack. Are databases restored once the ransoms are paid? We cannot make any concrete statements here, but it is highly unlikely that data can be recovered. Even if the attackers back it up and are able to restore it, it is unlikely that they would waste any of their time assisting victims once their mission is complete, and it is complete once the money is transferred into their accounts. In any case, whether or not your database is restored, you must remove MongoLock Ransomware, and we have a few tips that will help you.

MongoDB databases can be accessed remotely, but they can be accessed without the victim’s notice only if they are vulnerable. Once an unprotected server is found by scanning the web, the attacker can do whatever they want, and that might include encrypting or deleting data. In fact, it appears that, in most cases, MongoLock Ransomware deletes the targeted database and replaces it with a new one. According to our research team, the new one might be created with the title “Warning.” Needless to say, if your database is removed, recovering it is not an option, and that is the main reason we do not recommend following the demands of the attackers. These demands are delivered to the victims using a ransom note that is created in the new database. According to the message, all lost data is backed up and can be recovered by paying a ransom. It appears that there are several different versions of the ransom note, and the requested ransom might be different in every case. The sample we analyzed requested a ransom of 0.1 Bitcoin to be transferred to the 1NrZsNppQqXNiYnu34MPo6K2sHYyMPjR4h Bitcoin wallet. At the time of research, 5 transactions (0.0745 BTC in total) had been made. The second wallet that appears to belong to the same attackers (3FAVraz3ovC1pz4frGRH6XXCuqPSWeh3UH) accumulated a total of 1.8 BTC.

The ransom message delivered by MongoLock Ransomware informs that once the ransom is paid, the victim has to email the attacker (e.g., unlockandrecover@pm.me, dbbackups@protonmail.com, or another email address) to prove the transaction. As we discussed already, paying the ransom is not a good option because it is unlikely that you will be able to have the corrupted database restored even if you followed all instructions. Most likely, your database is deleted, and there is nothing that can be done to salvage it. Of course, the attackers claim that all data is backed up, but that could be just a trick to make you think that there is a way out of this messy situation. Hopefully, you yourself had the data stored on the database backed up, and you do not even need to think about what the creators of MongoLock Ransomware are offering to you. If that is not the case, let this be a lesson that databases are vulnerable.

The situation is very simple here: If you do not want your MongoDB database attacked again, you need to take appropriate security measures. MongoLock Ransomware is just one malicious threat that could affect it, and it is your job to ensure that well-rounded security is ensured. You have to make sure that access control is enabled, authentication mechanisms are enforced, all communication and data is encrypted, and network exposure is limited. If you take care of your database and its security, you should be able to evade malicious ransomware and other kinds of threats. Right now, of course, we need to delete MongoLock Ransomware because it is the infection that you are dealing with. Erasing the threat manually might be challenging, but if you employ reliable anti-malware software, it will be removed automatically. Remember that this software can also strengthen overall protection to help you evade security threats.

MongoLock Ransomware Removal

1. Tap Ctrl+Alt+Delete to launch a menu and click Start Task Manager.
2. In the Processes list look for unfamiliar processes to find the ones that belong to the ransomware.
3. If you find a process that you believe is malicious, right-click it, and choose Open file location.
4. In the Task Manager, select the malicious process, and click End process.
5. Then, right-click the malicious .exe file linked to the process and choose Delete. A few possible locations:
   • %USERPROFILE%\Desktop
   • %USERPROFILE%\Downloads
   • %TEMP%
6. Empty Recycle Bin to make sure that these components are eliminated.
7. Install and run a trustworthy malware scanner to check if your system is clean or if malware persists.