- Aug 17, 2014
Researchers are warning on an active ransomware campaign that’s targeting MySQL database servers. The ransomware, called PLEASE_READ_ME, has thus far breached at least 85,000 servers worldwide – and has posted at least 250,000 stolen databases on a website for sale.
MySQL is an open-source relational database management system. The attack exploits weak credentials on internet-facing MySQL servers, of which there are close to 5 million worldwide. Since first observing the ransomware campaign in January, researchers said that attackers have switched up their techniques to put more pressure on victims and to automate the payment process for the ransom.
“The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users,” said Ophir Harpaz and Omri Marom, researchers with Guardicore Labs, in a Thursday post. “By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database.” From there, the attacker leaves a ransom note in a table, named “WARNING,” which demands a ransom payment of up to 0.08 BTC. The ransom note tells victims (verbatim), “Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise.”
Ransomware actors behind the attack have breached at least 85,000 MySQL servers, and are currently selling at least compromised 250,000 databases.