Hi @Rene_Schneider,
As @chris correctly noted, the issue is someone connecting to an unsecured deployment (there are no authentication messages in the logs), dropping the databases, and then creating a collection with a ransom note. This cycle happens several times in the log excerpt, so there are likely multiple bad actors who have discovered your unsecured deployment.
For a similar recent discussion and advice, please see Database deleted auto - #7 by Stennie.
Regards,
Stennie