The Hidden Ransomware Economy Running on Exposed Databases
A 5-year study on the Ransomware Economy found that 30,515 exposed databases were hit by ransom attacks, causing massive damage despite victims never paying. Database extortion doesn’t look like the ransomware stories that usually grab headlines. There’s no slick branding, no leak-site countdown, no gang posting memes on Telegram. In most cases, there’s just a […]
Database extortion doesn’t look like the ransomware stories that usually grab headlines. There’s no slick branding, no leak-site countdown, no gang posting memes on Telegram. In most cases, there’s just a text file sitting inside a live database telling the victim to send bitcoin for data that’s already been copied, deleted, or both.
The Ransomnews Research Team spent five years tracking exposed databases on the public internet, from May 2021 through 13 May 2026. The dataset covers 65,907 exposed systems across MongoDB, MySQL, Elasticsearch, Kibana, and a long list of HTTP-based admin panels. Of those, 30,515 databases, or 46.3%, already carried a ransom or wipe note when researchers found them.
Related breach coverage
- 19.6 Billion Files Are Sitting Open on the Internet. No Password Required2026-05-28
19.6 Billion files are exposed in misconfigured cloud buckets, including 685K credential files and nearly 1M database dumps. There’s a comfortable myth most people carry around: that the data they hand to companies is locked somewhere safe. Researchers at Mysterium VPN just ran the numbers, and the numbers disagree. Across 535,480 publicly listable cloud storage […]
- Why pure extortion is replacing traditional ransomware2026-05-23
Ransomware gangs are shifting from encryption to pure extortion, focusing on stolen data, reputational pressure, and stealthier attacks. Ransomware groups are quietly changing strategy in 2026. Instead of encrypting systems and causing immediate disruption, many attackers are now focusing on pure extortion: stealing sensitive data and threatening to leak it publicly if victims refuse to […]
- Grafana confirms GitHub token breach cybercrime group claims the attack2026-05-18
Grafana confirmed a GitHub token breach that exposed source code, but said no customer data or systems were affected. Grafana Labs confirmed a security incident after the extortion group Coinbase Cartel listed it on a leak site and claimed data theft on May 15. The breach was triggered by a compromised token that gave attackers […]
- NGINX Rift: an 18-year-old flaw in the world’s most deployed web server just came to light2026-05-14
Researchers found a critical 18-year-old buffer overflow flaw in NGINX, tracked as CVE-2026-42945 and named NGINX Rift. If you run NGINX, and statistically speaking, there is a very good chance you do, this week brought news worth stopping for. Security researchers at depthfirst disclosed a critical heap buffer overflow vulnerability in both NGINX Plus and […]