The hackers are now selling over 2,50,000 MySQL databases on a dark web portal. Each of the databases is set for sale at a price of just $550. The global internet-connected MySQL databases are being targeted by a ransomware campaign that happens to be of the “double extortion” variant. The researchers have dubbed the campaign as “PLEASE_READ_ME”.
The ransomware campaign dates back to January 2020, and the researchers at Guardicore Labs had detected it. Till date, it has breached over 83,000 of over five million internet-facing MySQL databases worldwide. The campaign had used file less ransomware for exploiting the weak credentials in the MySQL servers. After the attackers gained their entry, they locked the databases and stole the data. The approach was simple yet effective.
The attack had been referred to as “double extortion” since the attackers had implemented two different methodologies to have a profit. At first, they had tried to blackmail the owners of the MySQL databases into paying ransom for retrieving access to their data. Next, they would sell the stolen data to the highest bidder online.
The researchers have taken a note that the attackers have offered over 2,50,000 databases by far for sale on a dark web site known to conduct auctions. The attackers happen to leave a backdoor user for persistence on the database. This had allowed them to re-access the network whenever they wanted.
The researchers had been able to track the origins of the attacks that had led them to 11 separate IP addresses. The majority of the IP addresses were based in the U.K and Ireland.
The first ransomware attack had been spotted back on the 24th of January, wherein the Guardicore Global Sensors Network (GGSN) had reported 92 attacks in total. But since October, the rate of such attacks have majorly soared.
Throughout the campaign’s lifetime, two variants have been used that show an evolution in the tactics of the attackers in gaining access to the MySQL databases. The first variant had been used from January till the end of November in 63 attacks. The second variant started on the 3rd of October ceasing at the end of November.
In the first phase, the attackers had left a note on the ransom containing their wallet address, an email address owing to technical support and the specified amount of Bitcoin (BTC) they had to pay. Alongside, the victims had been allotted ten days to clear the payment.
“We found that a total of 1.2867640900000001 BTC had been transferred to these wallets, equivalent to 24,906 USD,” noted researchers.
The attackers ditched the Bitcoin wallet as they found another Tor-based deep web website that enabled them to collect their payment.
Source: Infosecurity Magazine
Disclaimer: Read the complete disclaimer here.