snyk writes on secure defaults:
Before version 2.6.0 hipster data “store” did not by default require authentication (wait, what?) and also did bind to * instead of 127.0.0.1.
As a result, by default, each MongoDB data “store” has been accessible from the entire internet.
Scanners such as Shodan provide an index to all such MongoDB installations on the entire Internet. Enterprising anonymous “hackers” have monetized this opportunity by accessing these installations over the Internet, encrypting the data and then accepting Bitcoin for the decryption password – or scamming the installations owner, assuming that people who put production data on internet-wide installations with unauthenticated access deserve to be conned and then conned over again.
Other hipster data stores, including Elastic Search, CouchDB and Redis, are known to have similar access properties. NoSQL might actually mean “NoSequrity”.