Ransomware Campaign Targets MySQL Servers

  • Internet-related MySQL databases close to the world are staying focused by a double extortion ransomware campaign that researchers have dubbed Make sure you_Read through_ME.

    The campaign, which dates back to at the very least January 2020, was detected by scientists at Guardicore Labs. So far, it has breached far more than 83,000 of the a lot more than 5 million internet-facing MySQL databases in existence throughout the world.

    Very simple but successful in its technique, the campaign employs file-significantly less ransomware to exploit weak credentials in MySQL servers. Immediately after gaining entry, the attackers lock the databases and steal knowledge.

    The attack is a double extortion since its authors use two different strategies to convert a financial gain. Initially, they check out to blackmail the database owners into handing around dollars to retrieve obtain to their info. 2nd, they provide the stolen facts on the net to the greatest bidder.

    Scientists noted that the attackers have been in a position to offer in excess of 250,000 databases for sale on a dark web auction web-site so considerably.

    The attackers go away a backdoor consumer on the databases for persistence, permitting them to re-obtain the network each time the mood strikes them.

    Researchers ended up able to trace the origins of the assaults to 11 distinct IP addresses, the majority of which are primarily based in Eire and the British isles.

    Because recognizing the initially attack on January 24, the Guardicore World wide Sensors Network (GGSN) has described a whole of 92 attacks. Considering that Oct, the charge at which attacks are becoming launched has risen steeply.

    Two variants have been used more than the campaign’s life span, exhibiting an evolution in the attackers’ techniques. The initial was made use of from January to the close of November for 63 assaults, and the 2nd section kicked off on Oct 3, halting at November’s finish.

    In stage one particular, the attackers remaining a ransom be aware with their wallet deal with, the total of Bitcoin to pay back, and an email handle for technical guidance. Victims were presented 10 days to fork out up.

    “We identified that a overall of 1.2867640900000001 BTC experienced been transferred to these wallets, equivalent to 24,906 USD,” mentioned researchers.

    In the next section, the attackers ditched the Bitcoin wallet in favor of a web-site in the TOR network in which payment could be created.