Research, demonstrations, and popcorn

MRIT – MongoDB Ransom Investigation Tool released on GitHub

I have written a simple multithreaded application used to Shodan exports for open MongoDB instances and report on ransom demands.  This tool is on GitHub and is released for free use.  The only caveat is that you may not modify it to cause harm.

I will keep the list of known ransom demand schemas updated as I find them.  So far most of the early actors have been overwritten and the active ransom demands out there are from one of 21 people.  The schemas for those 21 people (10 variations on actual schemas) is included in the MS SQL script used to create the tables and stored procedures consumed by Mongoloid.

How do I setup MRIT?

  1. Download the source code from GitHub here: https://github.com/Kalypto/MRIT
  2. Compile it in Visual Studio (or your compatible IDE of choice).
  3. Setup a SQL database using the included script.
  4. Update the connection string to reflect your SQL server and SQL credentials.

How do I use MRIT?

  1. Once you have obtained a Shodan export for your organization (org:”Company Name”), open Mongoloid.
  2. Choose the radio button for the export type you obtained: JSON or CSV.  I recommend JSON.
  3. Click “Import”
  4. Once the import is completed, you can proceed with the “Find Ransom Demands” step.  Set the number of concurrent threads you want crawling (default is 10).
  5. Then, all you have to do is click the “Find Ransoms” button.

Reporting on results can currently be completed using SQL Server Management Studio, Excel, or whatever DB connection software you want to use.  I will be adding a built-in result viewer, but have not had time yet.  I will also be adding a ransom schema management feature in the near future.

If you have any questions or issues, please contact me on Twitter @KalyptoNet or submit an issue on GitHub.


Kalypto • January 18, 2017

Previous Post

Next Post