PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

Researchers are warning on an lively ransomware campaign which is focusing on MySQL database servers. The ransomware, named Make sure you_Browse_ME, has therefore significantly breached at the very least 85,000 servers all over the world – and has posted at least 250,000 stolen databases on a web page for sale.

MySQL is an open-resource relational database management system. The attack exploits weak qualifications on internet-facing MySQL servers, of which there are close to 5 million globally. Given that initial observing the ransomware campaign in January, scientists stated that attackers have switched up their methods to set far more stress on victims and to automate the payment method for the ransom.

“The attack commences with a password brute-force on the MySQL assistance. When profitable, the attacker operates a sequence of queries in the databases, collecting info on present tables and buyers,” said Ophir Harpaz and Omri Marom, scientists with Guardicore Labs, in a Thursday article. “By the stop of execution, the victim’s data is gone – it is archived in a zipped file which is sent to the attackers’ servers and then deleted from the databases.”

From there, the attacker leaves a ransom be aware in a desk, named “WARNING,” which calls for a ransom payment of up to .08 BTC. The ransom observe tells victims (verbatim), “Your databases are downloaded and backed up on our servers. If we dont acquire your payment in the up coming 9 Times, we will sell your databases to the greatest bidder or use them otherwise.”

Researchers feel that the attackers powering this campaign have built at minimum $25,000 in the initially 10 months of the 12 months.

Researchers said that You should_Read through_ME (so-known as mainly because it’s the name of the databases that the attackers generate on a compromised server) is an example of an untargeted, transient ransomware attack that does not devote time in the network aside from concentrating on what is expected for the actual attack – meaning there is commonly no lateral movement included.

The attack could be easy, but it is also perilous, scientists warned, for the reason that it’s almost fileless. “There are no binary payloads associated in the attack chain, making the attack ‘malwareless,’” they mentioned. “Only a straightforward script which breaks in the database, steals information and leaves a message.”

That reported, a backdoor user mysqlbackups’@’%’ is additional to the databases for persistence, giving the attackers with long run entry to the compromised server, researchers said.

Attack Evolution

Scientists initial observed Make sure you_Browse_ME attacks in January, in what they identified as the “first phase” of the attack. In this to start with period, victims were required to transfer BTC immediately to the attacker’s wallet.

The second period of the ransomware campaign started out in October, which researchers reported marked an evolution in the campaign’s strategies, ways and techniques (TTPs). In the second period, the attack evolved into a double-extortion endeavor, researchers say – meaning attackers are publishing facts when pressuring victims to spend the ransom. Here, attackers put up a web site in the TOR network wherever payments can be produced. Victims paying out the ransom can be identified making use of tokens (as opposed to their IP/domain), scientists said.

“The web-site is a great instance of a double-extortion mechanism – it consists of all leaked databases for which ransom was not compensated,” stated researchers. “The web-site lists 250,000 diverse databases from 83,000 MySQL servers, with 7 TB of stolen information. Up until now, [we] captured 29 incidents of this variant, originating from seven various IP addresses.”

Ransomware attacks have continued to hammer hospitals, colleges and other organizations in 2020. The ransomware tactic of “double extortion” very first emerged in late 2019 by Maze operators – but has been rapidly adopted around the previous several months by different cybercriminals at the rear of the Clop, DoppelPaymer and Sodinokibi ransomware people.

Seeking forward, researchers alert that the Make sure you_Read through_ME operators are trying to up their activity by making use of double extortion at scale: “Factoring their procedure will render the marketing campaign a lot more scalable and lucrative,” they mentioned.

Place Ransomware on the Operate: Save your place for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to battle back. 

Get the latest from John (Austin) Merritt, Cyber Menace Intelligence Analyst at Electronic Shadows Limor Kessem, Govt Security Advisor, IBM Security and Israel Barak, CISO at Cybereason, on new kinds of attacks. Matters will involve the most risky ransomware danger actors, their evolving TTPs and what your firm demands to do to get forward of the following, unavoidable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.