Ransomware usually gets attention when a major company is hit, systems freeze, data appears on a leak site, and executives face a public crisis. But the reality is that one of the largest ransomware economies operates with far less theatre, living in exposed databases, automated scans, recycled ransom notes, and small bitcoin demands dropped into live systems at industrial speed.
The Overlooked Side of the Ransomware Economy
A five-year study by the Ransomnews Research Team (2026) demonstrates the scale of this market. Between May 2021 and 13 May 2026, researchers tracked 65,907 exposed systems across MongoDB, MySQL, Elasticsearch, Kibana, and HTTP-based admin panels. They found ransom or wipe notes inside 30,515 of them, equal to 46.3% of the exposed databases reviewed.
Based on pre-attack row counts, the compromised databases contained more than 215 billion records. Some were copied. Some were deleted. Some were used as leverage. In many cases, victims appear to have paid nothing, yet the harm had already happened by the time the ransom note appeared. Payment is only one part of the story. The real failure begins earlier, when a database engine is left exposed to the public internet, and automated attackers find it before defenders do:
“Database extortion is the most consistently overlooked corner of the ransomware economy because it does not have a brand. There is no leak-site countdown, no encrypted-files spectacle, no PR-friendly group name,” according to the study. “There is only a small text file dropped into the database itself, demanding a few thousandths of a bitcoin to restore the data the attacker has already taken or deleted.”
The Ransomware Business Model
Attackers are running low-cost, high-volume campaigns while they scan for exposed systems, enter where authentication is weak or absent, drop a ransom note, reuse a wallet, reuse an email, and move on. The work is repetitive, cheap, and effective enough to persist for years.
Researchers extracted every bitcoin address they found in the ransom notes and identified 514 distinct attacker wallets. Of the 512 wallets traceable on chain, 318 had received zero payments. The total confirmed revenue across the dataset was 9.78 BTC, worth about $753,000 at the lookup price used in the report. A small number of wallets captured most of the money, with the top ten collecting 43% of traced payments and the top fifty collecting 82.8%. The image of a vast underground army gives way to something more mundane and, in some ways, more worrying: a handful of operators, a stack of scripts, and enough exposed infrastructure to keep the machine running.
The growth curve tells the same story. Researchers observed only 31 ransomware-marked databases in 2021. By 2023, the count had grown 16-fold. Activity flattened in 2024 and 2025, partly because so much exposed database territory had already been hit. By mid-May 2026, the count had already surpassed the full total for 2025, showing how quickly fresh targets continue to appear. For some database engines, exposure is essentially compromise. MongoDB showed 3,525 ransomware-marked systems out of 3,532 exposed instances. MySQL showed 2,930 out of 2,931. Elasticsearch and Kibana both sat around 98%.
That should change how security teams think about internet-facing databases. An exposed MongoDB instance is no longer a potential incident awaiting triage at a later date. It is an incident until proven otherwise. The same applies to exposed MySQL, Elasticsearch, and Kibana systems found on default ports with weak access controls. Scanners find them quickly, often within hours, and the first attacker rarely needs sophistication. HTTP-based admin panels behaved differently, with about 26% carrying ransom markers. Many were at least sitting behind some form of authentication, even where that protection was fragile. The worst outcomes came from direct exposure to the database engine, especially when systems were reachable from the public internet and authentication was left open, misconfigured, or absent.
The Industrialisation of Extortion
The language was copied so often that many databases matched several note families. Operators borrowed from one another, recycled threats, reused payment instructions, and scaled campaigns through repetition. Some notes promised recovery after payment. Others threatened to report victims to European regulators for exposing customer data. Even extortion scripts now borrow from compliance pressure.
The older Meow wiper campaign from 2020 barely appeared in the dataset, with only 53 matching notes. Pure destruction faded because it produced no revenue path. The modern version leaves attackers with an option to collect from the small minority of victims willing to pay. One campaign captured the industrial nature of the activity particularly well. A single bitcoin address appeared in 1,283 ransom notes tied to 1,234 victim IPs across 49 countries. Every note demanded exactly 0.01 BTC. The campaign ran from October 2023 through May 2026 with the same amount.
The contact data supports the same conclusion. Researchers found around 2,100 distinct email addresses in ransom notes, but the most frequently appearing accounts appeared across campaigns. One Tutanota address appeared in 1,374 notes. An OnionMail address appeared in 1,045. Wallet and email combinations repeated across thousands of compromised systems, suggesting that the apparent crowd of attackers may be a smaller set of operators rotating infrastructure and templates over time.
Geography added another layer of context. China had the highest number of ransom marked databases, with 11,874, followed by the United States at 4,194. Germany, France, India, Singapore, South Korea, Russia, Hong Kong, and Canada followed. The distribution appears to reflect hosting density rather than national security culture. A misconfigured database behaves the same way whether it sits in Beijing, Virginia, Frankfurt, or Singapore.
Paying also looks like a poor bet because most attacker wallets earned nothing, and even successful operators collected relatively small sums beside the scale of the damage caused. Once a ransom note appears, the database has usually already been touched. Recovery depends on containment, forensic review, closing exposure, restoring clean backups, and notifying affected parties where required.
The Real Failure Happens Before the Ransom Demand
The stronger response is prevention, containment, forensic review, clean restoration, and disciplined reporting where required. Database extortion thrives on ordinary misconfiguration, which makes it both painfully avoidable and relentlessly effective.