Researchers who tracked publicly exposed databases for five years found that, for certain database types, exposure and compromise are functionally the same.
What happened
The Ransomnews Research Team published a five-year analysis of exposed databases on the public internet, covering 65,907 systems across MongoDB, MySQL, Elasticsearch, Kibana, and HTTP-based admin panels tracked between May 2021 and May 2026. Of those 30,515 databases, 46.3% already contained a ransom note or wipe message when researchers discovered them. According to the full report, the compromised systems held more than 215 billion records based on pre-attack row counts, with data variously stolen, wiped, or held for ransom. The total confirmed ransom payments across 514 identified attacker bitcoin wallets came to 9.78 BTC, roughly $753,000. Of the 512 wallets that could be traced, 318 had received zero payments, meaning the damage had already occurred with no financial return for attackers and no recovery for victims.
Going deeper
The per-engine compromise rates are where the research becomes most useful for defenders. Of 3,532 exposed MongoDB instances, researchers found, 3,525 had ransom notes, a 99.8% compromise rate. MySQL showed 2,930 out of 2,931 exposed systems compromised. Elasticsearch sat at roughly 98%. HTTP-based admin panels behaved differently at around 26%, largely because many had weak authentication in place. Researchers concluded that for those database engines, exposure is not a risk factor but rather confirmation of compromise. The attack pattern is heavily automated. A single bitcoin wallet address appeared in 1,283 ransom notes tied to 1,234 victim systems across 49 countries, with every note demanding exactly 0.01 BTC, and the scheme ran continuously from October 2023 through May 2026 without changing the amount. The largest ransom note template family appeared on 17,908 systems. Researchers found roughly 2,100 distinct contact email addresses in the notes. Still, a small number of Tutanota and OnionMail addresses appeared in thousands of notes each, suggesting most of this activity traces to a handful of operators' rotating infrastructure. The attack volume grew sixteenfold between 2021 and 2023. By mid-May 2026, the annual total had already exceeded all of 2025.
What was said
The Ransomnews Research Team stated in their report that "mass database extortion is industrial, automated, mostly unpaid, and still doing enormous damage. The damage is identical whether the victim pays or not." On the per-engine rates, researchers wrote, "For these engines, exposure is not a probability of compromise. It is a compromise." The report pushed back against paying ransoms directly, stating, "Once the note appears, the data has usually already been copied or destroyed. Offline backups and shutting the exposure down remain the least bad options."
In the know
Exposed MongoDB instances have been a documented attack surface since at least 2017. According to BleepingComputer, a campaign documented in February 2026 was still actively targeting exposed MongoDB instances in automated extortion attacks, with attackers deleting data and demanding small ransoms. The continuity between the earliest wave of MongoDB extortion attacks and the 2026 activity documented in the Ransomnews study confirms that this is not a new or emerging threat; it is a persistent, automated operation that has simply continued targeting newly exposed instances as they appear.
The big picture
Healthcare organizations that use MongoDB, MySQL, or Elasticsearch for patient portals, analytics platforms, research databases, or billing systems face a concrete, documented risk if those databases are directly accessible on default ports without authentication. The numbers from this study are not probabilistic; they describe what has already happened at scale. A misconfigured database exposed during a cloud migration, a development environment left accessible after testing, or a vendor system with default settings represents near-certain compromise rather than increased risk. For covered entities, that exposure is a security failure; any breach of a database containing protected health information triggers HIPAA notification obligations, regardless of whether the attacker demanded or received a ransom. The Verizon 2026 Data Breach Investigations Report found that exploitation of vulnerabilities has now overtaken credential theft as the leading breach entry point, and misconfigured public-facing databases represent exactly that category of exploitable exposure.
FAQs
Why does it matter that most attacker wallets received zero payments if the damage still occurred?
Payment is irrelevant to whether the data was stolen or destroyed. Attackers automated the access and note-dropping process. Whether or not victims paid, their data was already copied or wiped before the ransom note appeared. The zero-payment wallets do not mean those attacks failed; they mean the attacks caused harm with no financial transaction on either side.
What makes MongoDB and MySQL particularly vulnerable to automated extortion?
Both engines are widely used and have historically been deployed with default configurations that include no authentication and direct external port exposure. Attackers scan the public internet for those default ports, find unauthenticated instances, copy or delete the data, and drop a ransom note, all in an automated script that requires no manual interaction per victim.
How do healthcare organizations typically end up with exposed databases?
Common paths include cloud migrations in which security group configurations are applied incorrectly, development or test environments that are never properly secured and then forgotten, vendor-managed systems deployed with default settings, and legacy infrastructure that predates modern cloud security practices. Each creates an externally accessible database that automated scanners find within hours.
Does paying the ransom recover stolen data?
Rarely. Most database extortion attacks copy or delete data before leaving a ransom note, and most attackers who do promise decryption or data return have no reliable mechanism to deliver. The Ransomnews study found that even successful ransom collections yielded a small total confirmed revenue of $753,000 across 30,515 compromised systems, suggesting most operators are not maintaining the infrastructure to honor payment commitments at scale.
What is the fastest way to assess whether an organization has exposed databases?
External attack surface scanning tools can identify database ports that are accessible from the public internet. Cloud providers also offer security assessment tools that flag publicly accessible storage and database resources. For healthcare organizations, this check should be part of the HIPAA-required risk analysis, which must account for risks to the confidentiality, integrity, and availability of electronic protected health information wherever it is stored.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Tshedimoso Makhene : February 4, 2025
