MySQL Servers Connected to the Internet Is Under Ransomware Attack

Mysql database

According to a warning from security vendor Guardicore, an ongoing ransomware campaign has compromised more than 250,000 databases to date by exploiting weak credentials on MySQL servers connected to the Internet.

Guardicore, dubbed PLEASE READ ME, said the campaign began as early as January 2020, with more than 83,000 victims having been successfully violated to date.

The attacks are expected to continue against those with weak authentication credentials, with more than five million Internet-facing MySQL servers on the internet.

Security researchers from Guardicore say that in an attempt to force victims to pay the ransom demand for the encrypted data, the attackers engage in double extortion.

The attacks appear to have resulted in 7TB of data originating from 11 IP addresses, most of which are located in Ireland and the UK.

The attackers would include a Bitcoin wallet in the ransom note from January to November, instructing the victim to make payments there. This resulted in the attackers being paid roughly $25,000.

The victims were directed to the TOR website, hn4wg4o6s5nc7763.onion, starting in October, where the attackers listed all databases for which a ransom was not paid. They identified a total of 250,000 entries from 83,000 MySQL servers.

By brute-forcing the passwords for the MySQL servers, the attackers get access to the targeted databases. Next, they run queries to collect data on tables and users and to archive and exfiltrate data from the victim. Next, the database is swept clean and left with a ransom note, requiring a ransom of up to 0.08 BTC.

A backdoor is also added to the database so that, if needed, the opponent can re-access it.

The attackers are offering the stolen databases for sale at 0.03 Bitcoin (approximately $520) on their TOR website. All entries, with approximately 83,000 unique tokens identified, are listed per token, Guardicore said.

The attacks are not targeted, with the opponent lacking interest in the identity or size of the victim. Researchers believe that as many victims as possible are compromised for financial gain by the immediate focus (but they are making less money per victim, the security researchers note).

By using double extortion in scale, the PLEASE READ ME operators are attempting to up their game.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.