New Ransom Attacks are Targeting MySQL Databases

GuardiCore alarms that thousands of MySQL databases are targeted by ransom attacks, which are probably inspired by the MongoDB ransack campaign detected a few months ago.

For these attacks, cybercriminals target poorly protected MySQL servers, steal their tables and databases and replace them with new tables that provide instructions for the owners to pay a ransom of 0.2 Bitcoin ($200). The attackers claim that if the victims pay up, they will have access to their data. However, there are no guarantees as some of the databases have been deleted in the process.

In January this year, there was a similar attacking campaign. The co-founder of GDI Foundation, Victor Gevers, revealed that many MongoDB databases were being targeted and hijacked and the victims were asked to pay 0.2 Bitcoins ransom.

Shortly after, other crooks started attacking poorly secured databases which resulted in around 35,000 hijacked MongoDB instances. As a result of all these instances being publicly exposed, Elasticsearch clusters became targets too as well as Hadoop and CouchDB databases only a few days later. The threat actors were noticed overwriting each other`s ransom note without bothering to copy the original data anymore but deleting in instead. So, even if victims pay the ransom they couldn’t retrieve their data.

And not it is MySQL`s turn. The cybercriminals are relying on online tools to find servers with weak passwords, they brute force them and replace the original content with their ransom note table. Again, in some servers, the crooks delete the databases without copying them first, leaving the victims with no chance of recovering them.

The security firm states that within a 30-hour window that starts at midnight on February 12th, they managed to observe hundreds of attacks. All of then lead back to the same IP address (109.236.88.20) and were all hosted by the Netherlands-based web hosting company – worldstream.nl. The company was informed of the problem a couple of days later.

Responding to an email inquiry, the research Leader at GuardiCore, Ofri Ziv, shared with SecurityWeek that the attacks weren’t focused on any specific location but were spread all around the globe. The exact number of hijacked databases is unknown but Ziv said that they “do know of thousands of MySQL servers facing the Internet with weak passwords that are prone to attacks.”

He also said that there is now way of telling if these are the same attackers that targeted MongoDB and they have now switched to MySQL servers. The attacks are very similar to the MongoDB ones starting with the fact that the crooks are using them same ransom notes – “WARNING” and “PLEAE_READ”. However, Ziv said: “But even if it’s not the case, they were definitely inspired by them.”

Moreover, the Bitcoin addresses that the ransom notes provided are showing sign of activity but GuardiCore says that this may simply be the threat actors themselves trying to encourage victims to pay.

“Before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks, we monitored we couldn’t find evidence of any dump operation or data exfiltration.”
– states GuardiCore in a blog post.

The security company also notes that every MySQL server that is facing the Internet is a potential target and advises admins to use stronger passwords and mandatory authorization in order to properly secure their instances.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.