Thank you for visiting the Rackspace Community
The The Community is live! Post new content or topics so our teams can assist.

Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.

IMPORTANT NOTICE: Ransomware Attacks Observed Related to Default MongoDB, Elasticsearch, Hadoop, and CouchDB Configurations

Former Member
Former Member

Several sources have recently released reports of ransomware attacks affecting MongoDB, Elasticsearch, Hadoop, and CouchDB instances. The attacks are targeting these platforms which are open to the Internet and use default configurations. 

Vendor Announcements:

External Articles:


How Can I Tell If I've Been Affected?

Potential Indicators: 

  • Missing data indices (Elasticsearch)
  • A new index warning created asking for bitcoins to be sent to a particular location (Elasticsearch)
  • The addition of a collection called "bitcoin" (MongoDB)
  • Missing directories (Hadoop)
  • Wiping data (CouchDB)
  • Ransom demand left in place (CouchDB)



Regardless of which hosting provider you use, we strongly suggest that you follow security best practices to reduce your attack surface for MongoDB, Elasticsearch, Hadoop, and CouchDB. In addition, we recommend that customers regularly review all public-facing services and either reduce their network exposure or harden the applicable configuration. 

Vendor Sources:

External Sources:




Additional Sources: