Quick summary
- A 5-year study tracked 65,907 exposed databases between May 2021 and May 2026; 46.3% carried a ransom or wipe note.
- Over 215 billion individual records were destroyed, exfiltrated, or held to ransom across MongoDB, MySQL, Elasticsearch and Kibana.
- 62% of attacker bitcoin wallets were never paid — the entire campaign netted just 9.78 BTC (~$753,000).
- The damage happens whether or not you pay — automated scanners wipe or copy data on contact, making exposure itself the breach.
The most striking number in cybercrime right now is not a ransom demand. It is $753,000 — the total confirmed revenue from a five-year, industrial-scale database extortion campaign that touched more than 30,000 systems and put 215 billion records at risk. A newly published study analysing exposed databases from May 2021 to May 2026 found that 62% of the bitcoin wallets used to collect ransoms received nothing at all. The economics are dismal for attackers and catastrophic for victims at the same time, and that paradox is exactly what makes this threat so dangerous to ignore.
This is not the work of a sophisticated ransomware syndicate negotiating six-figure payouts. It is the opposite: a small number of operators running recycled note templates and automated scanning scripts against anything left open to the internet. Understanding how this economy actually works — and why low payment rates do not mean low risk — is now essential for any organisation that runs a database it cannot see.
What the database ransom economy is
The database ransom economy is an automated, high-volume form of extortion in which attackers scan the internet for misconfigured databases, wipe or exfiltrate their contents, and leave a short note demanding a small cryptocurrency payment for return of the data. Unlike targeted ransomware, it requires almost no skill and no negotiation — the entire process is scripted.
The five-year study tracked 65,907 exposed systems across MongoDB, MySQL, Elasticsearch, Kibana and HTTP-based admin panels. Of those, 30,515 (46.3%) carried a ransom or wipe note. The compromise rates per platform are extraordinary:
| Platform | Exposed instances | Carried a ransom/wipe note | Compromise rate |
|---|---|---|---|
| MySQL | 2,931 | 2,930 | 99.97% |
| MongoDB | 3,532 | 3,525 | 99.8% |
| Elasticsearch | 6,185 | 6,055 | 97.9% |
| Kibana | 3,821 | 3,739 | 97.9% |
| HTTP admin panels | — | — | ~26% |
In practice, if a database of these types is reachable from the open internet, it is not a question of whether it will be found — it is a question of how many times.
The volume of data involved is hard to overstate. More than 215 billion individual records were destroyed, exfiltrated, or held for ransom over the study period — names, credentials, transaction logs, health records and everything else organisations leave in unprotected stores.
The economics: industrial scale, almost no payout
The defining feature of database extortion is its profitability ratio: enormous reach, tiny revenue. Across 514 distinct attacker bitcoin wallets, the study traced just 9.78 BTC in confirmed payments — roughly $753,000 at a bitcoin price of $76,992. Of 512 traceable wallets, 318 showed no transaction history whatsoever. That works out to 62% of ransom wallets never being paid.
What revenue did exist was heavily concentrated, following the same power-law distribution seen across most cybercrime markets — a handful of campaigns captured almost everything while a long tail earned essentially nothing:
| Wallet cohort | Share of all confirmed revenue |
|---|---|
| Single top wallet | 9.1% |
| Top 10 wallets | 43% |
| Top 50 wallets | 82.8% |
| Remaining ~464 wallets | 17.2% |
The demands themselves were trivially small and mechanically consistent. One wallet alone appeared in 1,283 separate ransom notes spanning 1,234 victim IP addresses across 49 countries, each demanding the same 0.01 BTC — and it ran that single playbook unchanged from October 2023 to May 2026. This is not negotiation. It is a vending machine.
The note families reveal the automation
The ransom notes were generated from a small library of reused templates. Researchers extracted around 2,100 distinct contact email addresses, but the notes clustered into a few dominant families:
| Note family / artefact | Systems affected |
|---|---|
| "read_me_to_recover" template | 17,908 |
| "btc_ransom_note" template | 14,714 |
| Single Tutanota contact address | 1,374 notes |
| Single OnionMail contact address | 1,045 notes |
| Meow-style wiper notes | 53 |
The repetition is the tell: these are mass campaigns, not bespoke attacks.
Outright destructive "wiper" activity was comparatively rare, as the table shows — but that is cold comfort. Most automated attacks delete or copy the data on contact regardless of the message left behind.
Why low payment rates do not mean low risk
The most dangerous misreading of this data is to treat a 62% non-payment rate as a sign the threat is fading. The damage is inflicted at the moment of compromise, not at the moment of payment. By the time a victim sees a ransom note, the data has already been wiped, copied, or both — paying merely gambles on whether a faceless script-runner will honour a 0.01 BTC transaction. Many do not even bother to respond.
This pattern mirrors the broader ransomware market, where refusal to pay has become the norm. Chainalysis recorded $813.55 million in ransomware payments in 2024, down roughly 35% from 2023's record $1.25 billion, and Coveware reported the share of victims who pay fell to an all-time low of around 25% by late 2024. Yet attack volume keeps climbing — 2025 saw more than 7,500 organisations named on public leak sites, up from roughly 4,750 in 2024. Attackers are earning less per victim and simply compromising more victims to compensate.
And the cost of a breach is never just the ransom. Independent analyses put the total economic harm at roughly $70 of downtime, recovery, legal exposure, regulatory fines and reputational damage for every $1 paid in ransom, with the average ransomware-related breach costing organisations around $5.08 million. For exposed-database victims who never pay a cent, that entire cost still lands — minus only the ransom line item.
Where the exposure concentrates
Exposed databases are not evenly distributed; they cluster wherever cloud adoption outpaces security governance. The study's geographic breakdown shows the top two countries accounting for the bulk of marked databases:
| Rank | Country | Ransom-marked databases |
|---|---|---|
| 1 | China | 11,874 |
| 2 | United States | 4,194 |
| 3–10 | Germany, France, India, Singapore, South Korea, Russia, Hong Kong, Canada | (remainder) |
These are the regions with the densest concentrations of cloud-hosted, internet-reachable data stores spun up faster than security teams can inventory them.
The growth curve tells its own story — a sharp climb, a deceptive plateau, then a fresh surge:
| Year | Ransom-marked databases |
|---|---|
| 2021 | 31 |
| 2023 | 496 (a 16-fold increase) |
| 2024–2025 | growth flattened |
| 2026 (through May) | already exceeded the full 2025 total |
The plateau was a pause, not a peak.
What organisations should do this week
Defending against automated database extortion is not about negotiation strategy — it is about ensuring no database is reachable in the first place, and knowing the moment one becomes exposed.
1. Inventory every internet-facing data store
You cannot protect a database you do not know exists. The systems in this study were overwhelmingly forgotten test instances, shadow-IT deployments, and cloud databases stood up without security review. Continuous external attack surface management (EASM) — the discipline of mapping every asset an attacker can reach from the public internet — is the single highest-leverage control here. AI-powered scanning platforms such as RavenEye attack surface monitoring find exposed databases the same way the attackers' scripts do, only first.
2. Close the default-open configurations
MongoDB, Elasticsearch and Kibana have a long history of shipping or being deployed without authentication bound to a public interface — the same class of misconfiguration behind earlier mass incidents we examined in our breakdown of MongoBleed exploitation. Bind every database to a private network, require authentication, and never expose an admin panel directly to the internet. The near-total compromise rates above exist precisely because these defaults are still being missed.
3. Assume exposure equals breach
Because automated scanners act on contact, treat any internet-exposed database as already compromised. That means rotating credentials, assessing what records were reachable, and meeting your breach-notification obligations under GDPR and NIS2 — not waiting to see whether a ransom note appears. Regulatory clocks start at exposure, not at extortion.
4. Give researchers a way to warn you
Many exposed databases are first spotted by security researchers, not criminals — but only if those researchers have a safe, legal channel to report what they find. A Vulnerability Disclosure Programme (VDP) provides exactly that, turning a stranger's discovery of your open database into a quiet fix rather than a public incident. A managed Vulnerability Disclosure Programme is also increasingly an expectation under NIS2 for demonstrating security maturity. For the full case, see our explainer on why a VDP is no longer optional in 2026.
5. Back up offline and test restoration
Since the realistic outcome of a database compromise is deletion, not recoverable encryption, immutable offline backups are your actual recovery plan. Test restoration regularly — the time to discover a backup is incomplete is not during an incident. This is the same lesson reinforced by every modern extortion campaign, from database wipers to the targeted operators we covered in our analysis of AI-discovered zero-days.
Key Takeaways
- Exposure is the breach — automated scanners wipe or steal data on contact, so a database reachable from the internet should be treated as already compromised.
- Low payment rates hide high damage — 62% of ransom wallets went unpaid, yet 215 billion records were still destroyed or stolen.
- The economy is industrial, not artisanal — recycled templates, 0.01 BTC demands and automated scanning let a few operators hit 30,000+ systems.
- Visibility is the only defence that scales — continuous attack surface management finds exposed databases before the attackers' scripts do.
- A disclosure channel turns finders into allies — a VDP lets researchers report an open database before it becomes a headline.
FAQ
What is database ransom or "database extortion"?
Database ransom is an automated attack in which criminals scan the internet for misconfigured databases, wipe or copy their contents, and leave a note demanding a small cryptocurrency payment for the data's return. It differs from targeted ransomware in that it is fully scripted and requires no negotiation.
How much money does the database ransom economy actually make?
Very little relative to its reach. A five-year study traced just 9.78 BTC — roughly $753,000 — across 514 attacker wallets, with 62% of those wallets receiving no payment at all. The revenue was highly concentrated, with the top 50 wallets collecting 82.8% of the total.
If most victims do not pay, why is this dangerous?
Because the damage is done before any ransom note is read. Automated scanners delete or exfiltrate data on contact, so the breach — and its regulatory, legal and reputational costs — occurs whether or not a payment is ever made. Independent estimates put total harm at around $70 for every $1 paid.
Which databases are most at risk?
Databases that are reachable from the public internet without authentication, particularly MongoDB, MySQL, Elasticsearch and Kibana. In the study, over 97% of exposed instances of these platforms had been compromised, frequently within hours of becoming reachable.
How do I find out if I have an exposed database?
Use continuous external attack surface management to map every internet-facing asset your organisation runs, and operate a Vulnerability Disclosure Programme so that researchers who spot an exposure can report it to you safely. Together they surface forgotten and shadow-IT databases before attackers do.
Exposed databases are found by whoever scans first. See how RavenEye continuously maps your external attack surface to catch open data stores before the bots do — and pair it with a managed Vulnerability Disclosure Programme so researchers can warn you the moment something slips through.
Sources
- Ransomnews — 62% of database ransom wallets were never paid (primary source): https://ransomnews.com/database-ransom-economics-2026/
- Security Affairs — The Hidden Ransomware Economy Running on Exposed Databases: https://securityaffairs.com/192711/cyber-crime/the-hidden-ransomware-economy-running-on-exposed-databases.html
- SC Media — Mass database extortion causes significant damage despite low payment rates: https://www.scworld.com/brief/mass-database-extortion-causes-significant-damage-despite-low-payment-rates
- Chainalysis — Crypto Crime: Ransomware Victim Extortion 2024/2025: https://www.chainalysis.com/blog/crypto-crime-ransomware-victim-extortion-2025/
- SecurityWeek — Ransomware Payments Dropped to $813 Million in 2024: https://www.securityweek.com/ransomware-payments-dropped-to-813-million-in-2024/
- Coveware via The Register — Ransomware recovery payments fell in 2024: https://www.theregister.com/2025/02/07/ransomware_costs_analysis/
