MySQL Servers Targeted in Ransomware Attack

Author: Melodie Foster

Date: 11th December 2020

MySQL databases that are connected to the internet are being targeted across the globe in a double extortion campaign called PLEASE_READ_ME by researchers.

This campaign has breached over 83,000 internet-facing MySQL databases out of the five million that exist worldwide. The simple attack works by using file-less ransomware to exploit weak credentials in MySQL servers and after they have gained entry, the hackers lock the database and steal the victim’s data. They also leave a backdoor on the database which would allow for re-entry into the network.

The attack involves double extortion because in trying to make a profit, they use two different methods. Firstly, they attempt to blackmail the victim for the victims to retrieve access to their data and secondly, they will sell the stolen data to the highest bidder. Researchers found that just over one Bitcoin or just under 25,000 USD had been transferred to the wallets. Furthermore, the researchers noted that the attackers have been able to offer more than 250,000 databases on a dark web auction site so far.

There have been two variations of this attack, the first was used from January to the end of November with 63 attacks, and the second started on October 3^rd until the end of November. The first phase consisted of the attacker leaving a ransom note containing the amount of Bitcoin to pay, their wallet address and an email address for technical support, the victims were given 10 days to pay. In the second phase, however, the attacker did not use a Bitcoin wallet and instead opted for a website in the TOR network for victims to pay.[1]

[1] https://www.infosecurity-magazine.com/news/ransomware-campaign-targets-mysql/

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

MySQL Servers Targeted in Ransomware Attack

Author: Melodie Foster

Date: 11th December 2020

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta