Ad End 1 February 2024
Ad Ends 13 January 2025
Ad End 26 February 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
casino
swipe store
adv exp at 23 August 2024
Carding.pw carding forum
BidenCash Shop
Kfc CLub

Ransomware Campaign Targets MySQL Servers

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,544
Reaction score
916
Points
212
Awards
2
  • trusted user
  • Rich User
Internet-connected MySQL databases around the world are being targeted by a double extortion ransomware campaign that researchers have dubbed PLEASE_READ_ME.

The campaign, which dates back to at least January 2020, was detected by researchers at Guardicore Labs. So far, it has breached more than 83,000 of the more than five million internet-facing MySQL databases in existence worldwide.

Simple but effective in its approach, the campaign uses file-less ransomware to exploit weak credentials in MySQL servers. After gaining entry, the attackers lock the databases and steal data.

The attack is a double extortion because its authors use two different tactics to turn a profit. First, they try to blackmail the database owners into handing over money to retrieve access to their data. Second, they sell the stolen data online to the highest bidder.

Researchers noted that the attackers have been able to offer over 250,000 databases for sale on a dark web auction site so far.

The attackers leave a backdoor user on the database for persistence, allowing them to re-access the network whenever the mood strikes them.

Researchers were able to trace the origins of the attacks to 11 different IP addresses, the majority of which are based in Ireland and the UK.

Since spotting the first attack on January 24, the Guardicore Global Sensors Network (GGSN) has reported a total of 92 attacks. Since October, the rate at which attacks are being launched has risen steeply.

Two variants have been used over the campaign's lifetime, showing an evolution in the attackers' tactics. The first was used from January to the end of November for 63 attacks, and the second phase kicked off on October 3, halting at November's end.

In phase one, the attackers left a ransom note with their wallet address, the amount of Bitcoin to pay, and an email address for technical support. Victims were given 10 days to pay up.

"We found that a total of 1.2867640900000001 BTC had been transferred to these wallets, equivalent to 24,906 USD," noted researchers.

In the second phase, the attackers ditched the Bitcoin wallet in favor of a website in the TOR network where payment could be made.
 
Ad End 1 February 2024
Top