A five-year study of the ransomware economy reveals that threat actors are targeting publicly exposed databases, primarily MongoDB and MySQL instances, for mass data extortion. The attack vector involves scanning for and directly compromising databases with open ports, after which data is stolen or wiped and a ransom note is left; the study found 46.3% of over 65,000 exposed databases contained such notes. The research underscores that significant damage occurs regardless of payment and emphasizes the critical need for robust security measures, including avoiding direct public exposure of database ports and implementing strong authentication and network segmentation.
Ransomware Mass database extortion causes significant damage despite low payment rates May 27, 2026 Share By SC Staff As reported by Security Affairs, a five-year study on the ransomware economy has revealed that over 30,000 exposed databases were targeted by ransom attacks, resulting in substantial damage even when victims did not pay. The Ransomnews Research Team's five-year study, spanning from May 2021 to May 2026, analyzed over 65,000 exposed databases, finding that 46.3% contained ransom or wipe notes. These compromised systems held more than 215 billion records, with data being stolen, wiped, or held for ransom. The study identified 514 unique attacker bitcoin wallets, with 318 showing no transaction history, indicating that the vast majority of victims did not pay. The total confirmed revenue across the dataset was approximately $753,000. The research highlights that the damage is inflicted regardless of payment, as data is often copied or deleted before the ransom note is even discovered. Exposed MongoDB and MySQL systems were compromised almost universally when found. The study also noted a shift from destructive attacks to extortion, as operators prioritize payment over data destruction for revenue. The findings underscore the need for robust security measures, such as avoiding direct public exposure of database ports and implementing strong authentication and network segmentation, as exposure often signifies that compromise has already occurred. Source: Security Affairs An In-Depth Guide to Ransomware Get essential knowledge and practical strategies to protect your organization from ransomware attacks. Learn More SC Staff Related Malware BTMOB Android RAT poses significant threat with easy-to-use builder SC Staff May 27, 2026 First identified in February 2025, BTMOB evolved from the SpySolr malware. Phishing Formula 1 fans targeted by evolving scams, Bitdefender warns SC Staff May 26, 2026 Bitdefender's Fan Threat Index highlights four major threats targeting Formula 1 enthusiasts: counterfeit merchandise, fraudulent ticket sales, malicious streaming services, and sophisticated social engineering attacks. Malware Fake AI tool websites used to steal developer data SC Staff May 26, 2026 The attack campaign employs SEO poisoning to elevate fake installation pages in search engine results, leading developers searching for AI tools like Google Gemini CLI or Anthropic's Claude Code to typosquatted domains. Related Events Cybercast Ransomware reloaded: Finding resilience when attackers wield AI On-Demand Event Virtual Conference Ransomware Resilience: Strategies to Defend, Mitigate, and Recover On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe You can skip this ad in 5 seconds