Enfilade: Detecting Ransomware Infections in MongoDB

Aditya K Sood
2 min readAug 4, 2021

Challenge: Increase in Ransomware infections in MongoDB instances

As part of ongoing research, let’s quickly look into a snippet of live MongoDB ransomware infections. The list is not exhaustive but gives you an insight into the problem.

Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom. For example one of the significant threats MongoDB deployments is facing is ransomware. During this talk, we will release a tool named “ENFILADE” to detect potential infections in MongoDB instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected MongoDB instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.

Enfilade tool is available at: https://github.com/adityaks/enfilade

Check the tool slides below:

Enfilade Overview

Note: This is the first release of the tool and we expect to add more modules in the nearby future. This work is done in collaboration with the Research Team at the Office of the CTO, F5 (https://www.f5.com/company/octo)