Threat actors are currently targeting exposed MongoDB instances through automated data extortion attacks, asking for ransoms of around $500 in Bitcoin to restore compromised databases. These attacks primarily exploit databases that are misconfigured, allowing unauthorized access. Recent data shows about 1,400 servers have been hit, with attackers sometimes wiping databases without any ransom demand. A pentesting exercise by Flare found over 208,500 publicly exposed MongoDB servers, revealing that 3,100 of these can be accessed without authentication. Alarmingly, nearly half of those with unrestricted access had already been compromised. The ransom notes from these incidents typically demand payment of 0.005 BTC, roughly translating to $500-600. A worrying trend is that only five distinct wallet addresses were used, with one address appearing in about 98% of the ransom notes. Flare speculates that some exposed instances may not have been attacked yet because their owners might have already paid a ransom. This points to a systematic targeting of vulnerable databases. In addition to the lack of proper authentication, nearly 95,000 of the exposed MongoDB servers are running outdated versions that are susceptible to known vulnerabilities. While most of these vulnerabilities might only lead to denial-of-service attacks, they still pose a significant risk. Flare recommends that MongoDB administrators take steps to secure their databases by limiting public exposure, implementing strong authentication measures, and enforcing firewall and network policies. Regular updates to the latest MongoDB version and monitoring for unauthorized access are also crucial in mitigating these risks.