Hundreds of MySQL databases were hit in ransomware attacks, that were delineate as “an evolution of the MongoDB ransomware attacks;” in Jan, there have been tens of thousands of MongoDB installs erased and replaced with ransom demands. within the new attacks, targeted MySQL databases are erased and replaced with a ransom demand for 0.2 bitcoin, that is presently up to about $234.
The attacks, that began on February 12 and lasted thirty hours, were all derived back to 1 ip address, 188.8.131.52; it belongs to WorldStream, an online hosting company primarily based within the The Netherlands. the online hosting company was notified of the attacks; It is suspected the hacker was “running from a compromised mail server that conjointly is HTTP(s) and FTP server.”
It has been reported that the attack starts with brute-forcing the basis secret for the MySQL database. Once logged in, the MySQL databases and their tables are fetched.
There area unit 2 variants of attacks. In one, a replacement table known as “WARNING” is intercalary to the prevailing database; it includes an email address, a 0.2 bitcoin ransom demand and a bitcoin address.In the alternative, a table known as “PLEASE_READ” is intercalary to a recently created database. The hacker can then delete the databases kept on the server and disconnect, typically while not even dumping them 1st.
The ransom note labeled as “please_read” claims the database is protected to the attacker’s servers. Victims are told to pay the 0.2 BTC ransom and to contact the email address firstname.lastname@example.org with an email that lists either your affected database(s) or ip.
The other “warning” demands the 0.2 BTC payment be created and for victims to then visit a darknet website via the Tor browser. the positioning asks for the ip of the ransomed server to be entered before clicking to “check payment and acquire a link to the database dump.”
Two completely different bitcoin wallets were used, one for every version of the ransom message; a minimum of a number of the victims paid.
“Before paying the ransom,” GuardiCore wrote, “we powerfully encourage you to verify that the hacker really holds your information which it is often rebuilt. within the attacks we have a tendency to monitored, we have a tendency to couldn’t notice proof of any dump operation or data exfiltration.
It is suggested hardening MySQL servers to stop the attack and to confirm the servers need authentication and use sturdy passwords. There are a excess of articles on-line for how-to-secure MYSQL databases from attackers similarly as those describing security best practices.