Ransomware Actors Attacks 85,000 MySQL Servers; 250,000 Stolen Databases for Sale
Since January of this year, threat actors have been targeting the 5 million worldwide, internet-facing, MySQL servers with a ransomware dubbed PLEASE_READ_ME by researchers. The attack exploits weak credentials on these MySQL servers and is relatively simplistic in nature.
Considered to be ‘malwareless’ due to the fact there are no binary payloads involved in the attack chain, instead utilizing a simple script which breaks into the database, steals information and leaves a ransom note in the form of a database created by the attackers on the victim’s servers. The database is named PLEASE_READ_ME (thus leading to the naming of this malware) and contains a simple entry named “WARNING” and reads: “Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise.” The expected ransom can be up to 0.08 BTC.
It’s believed that the attackers behind this campaign have made at least $25,000 during the first ten months of this campaign. The PLEASE_READ_ME malware is “an untargeted, transient ransomware attack that does not spend time in the network besides targeting what’s required for the actual attack – meaning there’s typically no lateral movement involved.” A backdoor user, mysqlbackups’@’%’ is also added to the database for persistence, thus providing the attackers with future access to the victim’s servers.
The attack starts with a password brute-force on the targeted MySQL server. Once successful, the attackers run a sequence of queries in the database with the intent of gathering data on the existing tables and users. Once the information gathering stage is completed, the victim’s data is archived in a zipped file, sent to the attackers’ servers and then deleted from the compromised database.
The campaign first began in January of 2020 and is considered by researchers to be the “first phase” of this campaign. The attackers required victims to transfer BTC directly to the attacker’s wallets. The second phase of the campaign is believed to have begun in October and was marked by a change in tactics by the attackers. The attack morphed into a ‘double-extortion attempt’, meaning the attackers began to publish the stolen data while pressuring their victims to pay the ransom. The attackers utilized a website in the TOR network where payments can be made.
The TOR website contains all leaked databases from the victims who did not pay the ransom. It lists 250,000 different databases from 83,000 compromised MySQL servers, with 7 TB of stolen data.
Sources: