Cyber extortionists hold MySQL databases for ransom

Register for the upcoming webinar: Top 6 Security Needs for APIs and Serverless Apps

Ransomware has become cyber crooks’ favorite attack methodology for hitting businesses, but not all cyber extortion attempts are effected with this particular type of malware.

MySQL databases ransom

Since the beginning of the year, we have witnessed attackers compromising databases, exfiltrating data from them, wiping them and then asking for money (0.2 BTC) in order to return the data. They ransacked MongoDB, CouchDB and Hadoop databases, and now they’ve set MySQL databases in their sights.

According to GuardiCore researchers, the first flurry of attacks dates back to February 12. Hundreds of them were detected, and all were tracked to an IP address hosted by Netherlands-based web hosting company WorldStream (109.236.88.20).

“The attack starts with ‘root’ password brute-forcing. Once logged-in, it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘WARNING’ that includes a contact email address, a bitcoin address and a payment demand,” they explained.

“In one variant of the attack the table is added to an existing database; in other cases the table is added to a newly created database called ‘PLEASE_READ’. The attacker will then delete the databases stored on the server and disconnect, sometimes without even dumping them first.”

Protection and remediation

It seems possible – likely even – that similar attacks will occur again. Luckily, protecting your servers against them is easy: use stronger passwords.

Minimizing internet facing services is also a good idea, and setting up a robust and automated backup system is a must, so you don’t have to worry if attackers actually do manage to get through.

For those whose databases have been plundered in these attacks, GuardiCore researchers have the following advice: before even considering paying the ransom, make sure that the attackers actually have your data.

“In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration,” they noted.

It’s interesting to note that the two Bitcoin addresses to which the victims are supposed to transfer money to have recently received several payments, some seemingly from victims.

But, the researchers warn, the payments could have just as easily come from the attackers themselves, and this could be a simple ploy to convince victims that others have already paid the ransom, and so they should, too.