ransom attack

Please_Read_Me Ransom attack 85k mysql server

The participants behind the attack have compromised at least 85,000 MySQL servers and are currently selling at least 250,000 compromised databases.

Researchers have issued a warning in the active campaign against the MySQL database server. To date, this ransomware called PLEASE_READ_ME has destroyed at least 85,000 servers worldwide and published at least 250,000 stolen databases on the website.

MySQL is an open source relational database management system. The attack took advantage of weak credentials on the Internet-facing MySQL server, with nearly 5 million credentials worldwide. Since activity was first observed in January, researchers have stated that attackers have changed their technology to put more pressure on victims and automate the payment process for ransomware.

“The attack started with a brute force password cracking on the MySQL service. Once successful, the attacker would run a series of queries in the database to collect data on existing tables and users,” Guardicore Labs researchers Ophir Harpaz and Omri Marom on Thursday Said in the post. “At the end of the execution, the victim’s data had disappeared-archived in a compressed file, which was sent to the attacker’s server and then deleted from the database.”

From there, the attacker left a ransom note in a table named “WARNING”, which required payment of a ransom of up to 0.08 BTC. The ransom notice tells the victim (general), “Your database has been downloaded and backed up on our server. If we do not receive your payment within the next 9 days, we will sell your database to the highest bidder , Otherwise they will be used.”

Researchers believe that the attackers of this campaign made at least $25,000 in the first 10 months of this year.

The researchers stated that PLEASE_READ_ME (the reason why it is called the name of the database created by the attacker on the infected server) is an example of an aimless, short-lived attack. This attack will not target the content required for the actual attack. Spending time on the network-means that no lateral movement is usually involved.

The researchers warn that this attack may be simple, but it is also dangerous because it has almost no files. They said: “There is no binary payload in the attack chain, making the attack’malware-free’.” “Only a simple script will destroy the database, steal information and leave a message.”

The researchers said that, in other words, the backdoor user mysqlbackups’@’%’ was added to the database to maintain persistence, so that the attacker could access the infected server in the future.

Attack evolution
Researchers first observed the PLEASE_READ_ME attack in January, which they called the “first stage” of the attack. In the first stage, the victim needs to transfer BTC directly to the attacker’s wallet.

The second phase of the ransomware campaign began in October, and the researchers said this marked the development of the technology, tactics and procedures (TTP) of the ransomware campaign. The researchers said that in the second stage, the attack evolved into two blackmail attempts-meaning that the attacker released the data while forcing the victim to pay the ransom. Here, the attacker established a payment website in the network. Researchers say that tokens (instead of their IP/domain) can be used to identify victims who paid the ransom.

The researcher said: “The website is a good example of a double blackmail mechanism-it contains all the leaked databases for the unpaid ransom.” “The website lists 250,000 different databases from 83,000 MySQL servers, and 7 TB. Stolen data. So far, [we] have captured 29 such incidents from seven different IP addresses.”

Ransomware attacks have continued to hammer hospitals, schools and other organizations in 2020 “double blackmail” at the end of 2019. The tactical labyrinth operator first appeared in late 2019-but has lagged behind various cyber criminals being quickly adopted by horseshoe in the past few months. Sound, DoppelPaymer and Sodinokibi ransomware series.

Looking to the future, the researchers warned that PLEASE_READ_ME operators are trying to improve their game level by using double blackmail on a large scale: “Factorizing their operations will make the campaign more scalable and profitable.”