PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

  • Ransomware actors powering the attack have breached at least 85,000 MySQL servers, and are at present advertising at least compromised 250,000 databases.

    Researchers are warning on an active ransomware campaign which is concentrating on MySQL databases servers. The ransomware, termed You should_Study_ME, has so considerably breached at the very least 85,000 servers throughout the world – and has posted at least 250,000 stolen databases on a web page for sale.

    MySQL is an open up-resource relational database administration program. The attack exploits weak qualifications on internet-facing MySQL servers, of which there are close to 5 million around the world. Given that initially observing the ransomware campaign in January, scientists stated that attackers have switched up their methods to place additional strain on victims and to automate the payment approach for the ransom.

    Simply click to sign up.

    “The attack starts off with a password brute-power on the MySQL provider. As soon as thriving, the attacker operates a sequence of queries in the database, gathering information on current tables and users,” reported Ophir Harpaz and Omri Marom, scientists with Guardicore Labs, in a Thursday post. “By the close of execution, the victim’s information is gone – it’s archived in a zipped file which is despatched to the attackers’ servers and then deleted from the databases.”

    From there, the attacker leaves a ransom take note in a desk, named “WARNING,” which requires a ransom payment of up to .08 BTC. The ransom be aware tells victims (verbatim), “Your databases are downloaded and backed up on our servers. If we dont acquire your payment in the next 9 Times, we will offer your databases to the highest bidder or use them or else.”

    Researchers consider that the attackers behind this marketing campaign have produced at least $25,000 in the initially 10 months of the year.

    Researchers stated that Please_Browse_ME (so-referred to as for the reason that it is the name of the database that the attackers generate on a compromised server) is an illustration of an untargeted, transient ransomware attack that does not devote time in the network besides focusing on what is necessary for the actual attack – that means there is usually no lateral movement associated.

    The attack may well be simple, but it is also risky, researchers warned, because it is practically fileless. “There are no binary payloads included in the attack chain, building the attack ‘malwareless,’” they mentioned. “Only a easy script which breaks in the database, steals information and facts and leaves a concept.”

    That mentioned, a backdoor user mysqlbackups’@’%’ is included to the database for persistence, delivering the attackers with foreseeable future obtain to the compromised server, researchers reported.

    Attack Evolution

    Researchers initial observed Make sure you_Read_ME assaults in January, in what they referred to as the “first phase” of the attack. In this 1st period, victims were being necessary to transfer BTC immediately to the attacker’s wallet.

    The attack timeline. Credit history: Guardicore Labs

    The next section of the ransomware campaign started out in Oct, which researchers explained marked an evolution in the campaign’s strategies, strategies and techniques (TTPs). In the 2nd phase, the attack progressed into a double-extortion attempt, scientists say – which means attackers are publishing information although pressuring victims to spend the ransom. Listed here, attackers put up a website in the TOR network in which payments can be produced. Victims spending the ransom can be identified utilizing tokens (as opposed to their IP/area), scientists reported.

    “The web page is a good example of a double-extortion mechanism – it incorporates all leaked databases for which ransom was not compensated,” explained researchers. “The web-site lists 250,000 different databases from 83,000 MySQL servers, with 7 TB of stolen facts. Up till now, [we] captured 29 incidents of this variant, originating from 7 different IP addresses.”

    Ransomware attacks have continued to hammer hospitals, educational facilities and other organizations in 2020. The ransomware tactic of “double extortion” initially emerged in late 2019 by Maze operators – but has been fast adopted in excess of the previous couple months by a variety of cybercriminals powering the Clop, DoppelPaymer and Sodinokibi ransomware family members.

    Seeking ahead, scientists alert that the Make sure you_Go through_ME operators are seeking to up their game by applying double extortion at scale: “Factoring their operation will render the campaign more scalable and financially rewarding,” they stated.

    Place Ransomware on the Run: Save your spot for “What’s Upcoming for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what is coming in the ransomware planet and how to struggle back.

    Get the most current from John (Austin) Merritt, Cyber Risk Intelligence Analyst at Electronic Shadows Limor Kessem, Executive Security Advisor, IBM Security and Israel Barak, CISO at Cybereason, on new forms of assaults. Subject areas will involve the most dangerous ransomware risk actors, their evolving TTPs and what your business requirements to do to get forward of the next, inevitable ransomware attack. Sign up here for the Wed., Dec. 16 for this LIVE webinar.