Hundreds of MySQL databases were hit in ransomware attacks, which were described as “an evolution of the MongoDB ransomware attacks.” In January, there were tens of thousands of MongoDB installs erased and replaced with ransom demands. In the new attacks, targeted MySQL databases are erased and replaced with a ransom demand for 0.2 bitcoin, which is currently equal to about $234.
“Hundreds” of MySQL databases were targeted, according to security vendor GuardiCore.
The attacks, which began on February 12 and lasted 30 hours, were all traced back to one IP address, 18.104.22.168. It belongs to WorldStream, a web hosting company based in the Netherlands. The web hosting company was notified of the attacks. GuardiCore suspects the attacker was “running from a compromised mail server which also serves as HTTP(s) and FTP server.”
GuardiCore reported that the attack starts with brute-forcing the root password for the MySQL database. Once logged in, the MySQL databases and their tables are fetched.
2 types of ransomware attacks
There are two variants of attacks. In one, a new table called “WARNING” is added to the existing database; it includes an email address, a 0.2 bitcoin ransom demand and a bitcoin address. In the other, a table called “PLEASE_READ” is added to a newly created database. GuardiCore added, “The attacker will then delete the databases stored on the server and disconnect, sometimes without even dumping them first.”
The ransom note labeled as “please_read” claims the database is backed up to the attacker’s servers. Victims are instructed to pay the 0.2 BTC ransom and to contact email@example.com with an email listing either the affected IP or database name.
The other “warning” demands the 0.2 BTC payment be made and for victims to then visit a darknet site via the Tor browser. The site asks for the IP of the ransomed server to be entered before clicking to “check payment and get a link to the database dump.”
“Before paying the ransom,” GuardiCore wrote, “we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks we monitored, we couldn’t find evidence of any dump operation or data exfiltration."
GuardiCore recommended hardening MySQL servers to prevent the attack and to ensure the servers require authentication and use strong passwords. There are a plethora of articles online for how to secure MYSQL databases from attackers, as well as articles describing security best practices. There are also monitoring services, such as those available via GuardiCore.