Ransomware campaign breached 83k MySQL servers so far this year

A ransomware campaign, dubbed PLEASE_READ_ME, that exploits weak or default passwords in MySQL database servers, has enabled hackers to steal over 250,000 databases from 83,000 hacked MySQL servers and use them as bargaining chips to extract ransom from victims.

The massive ransomware campaign does not involve the use of any ransomware as such but in fact, involves hackers conducting brute-force password attacks on the MySQL service with the aim of gaining access to as many MySQL servers, that have easily-guessable or weak passwords, as possible.

According to Israeli cyber security firm Guardicore, since January this year, cyber criminals behind the PLEASE_READ_ME campaign have been able to steal over 250,000 different databases from around 83,000 breached MySQL servers. All the stolen databases are listed on a website that can be accessed using TOR and where victim companies can interact with the hackers.

After breaching a MySQL server and stealing databases associated with it, the hackers leave a ransom note, asking victim organisations to visit the website, identify themselves using a unique token provided in the ransom note, and make payments of 0.03 BTC (£407.78) to regain access to their databases.

Considering that over 5 million MySQL servers are internet-facing at present, it is possible for hackers to breach a large number of servers via brute-force attacks and then monetise their successes by either selling them on the Dark Web or by extracting ransom from victim companies.

"Attack campaigns of this sort are untargeted. They have no interest in the victim’s identity or size, and result in a much larger scale than that available for targeted attacks. Think of it as “Factory Ransomware” – the attackers run the attack, making less money per victim but factoring the number of infected machines," Guardicore said.

The firm added that between January and the end of November, hackers behind the campaign left a ransom note with their wallet address, the amount of Bitcoin to pay, and an email address for technical support. However, they changed their tactics in October and started asking victims to visit their website on TOR and pay a ransom to recover their databases.

“While database ransomware attacks are not new, it’s a growing attack vector and one an organization needs to prioritise. Often, we think of email compromise when it comes to ransomware, but the volume of stolen databases compromised by PLEASE_READ_ME ransomware signals an expansive opportunity for attackers,” says Chris Waynforth, Area Vice President, Northern Europe at Imperva.

“Organisations need to invest in a data security strategy where the focus is on securing the data itself – not just the endpoints connected to the database. Security teams need the visibility, analytics and automation needed to perform proactive responses to compliance and security objectives.

“While many organisations worry that taking time to secure data might slow down their innovation projects, that mindset is indefensible. The number of breaches are escalating, and the answer isn’t to throw more point solutions at the issue. It’s about investing in securing the data and making data security a centerpiece of the enterprise security strategy,” he adds.

ALSO READ: Foxconn suffers DoppelPaymer ransomware attack, gets £25m ransom demand

Copyright Lyonsdown Limited 2020