• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Please Read Me Ransomware Attacks 85k Mysql Servers

PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

You are here: Home / Latest Cyber Security Vulnerabilities / PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

Ransomware actors guiding the attack have breached at the very least 85,000 MySQL servers, and are presently offering at least compromised 250,000 databases.

Researchers are warning on an lively ransomware campaign which is focusing on MySQL database servers. The ransomware, named Make sure you_Browse_ME, has therefore significantly breached at the very least 85,000 servers all over the world – and has posted at least 250,000 stolen databases on a web page for sale.

✔ Approved Seller by TheCyberSecurity.News From Our Partners
Avast Ultimate Suite 2021

Protect yourself against all threads using AVAST Ultimate Suite. AVAST Ultimate Suite protects your Windows, macOS and your Android via Avast Premium. In addition it comes with AVAST's well-known VPN service SecureLineVPN. Therefore, it will be a security and privacy in one package.

Get AVAST Ultimate Suite with 65% discount certified seller: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


MySQL is an open-resource relational database management system. The attack exploits weak qualifications on internet-facing MySQL servers, of which there are close to 5 million globally. Given that initial observing the ransomware campaign in January, scientists stated that attackers have switched up their methods to set far more stress on victims and to automate the payment method for the ransom.

Threatpost Webinar Promo Bug Bounty

Click on to register.

“The attack commences with a password brute-force on the MySQL assistance. When profitable, the attacker operates a sequence of queries in the databases, collecting info on present tables and buyers,” said Ophir Harpaz and Omri Marom, scientists with Guardicore Labs, in a Thursday article. “By the stop of execution, the victim’s data is gone – it is archived in a zipped file which is sent to the attackers’ servers and then deleted from the databases.”

From there, the attacker leaves a ransom be aware in a desk, named “WARNING,” which calls for a ransom payment of up to .08 BTC. The ransom observe tells victims (verbatim), “Your databases are downloaded and backed up on our servers. If we dont acquire your payment in the up coming 9 Times, we will sell your databases to the greatest bidder or use them otherwise.”

Researchers feel that the attackers powering this campaign have built at minimum $25,000 in the initially 10 months of the 12 months.

Researchers said that You should_Read through_ME (so-known as mainly because it’s the name of the databases that the attackers generate on a compromised server) is an example of an untargeted, transient ransomware attack that does not devote time in the network aside from concentrating on what is expected for the actual attack – meaning there is commonly no lateral movement included.

The attack could be easy, but it is also perilous, scientists warned, for the reason that it’s almost fileless. “There are no binary payloads associated in the attack chain, making the attack ‘malwareless,’” they mentioned. “Only a straightforward script which breaks in the database, steals information and leaves a message.”

That reported, a backdoor user mysqlbackups’@’%’ is additional to the databases for persistence, giving the attackers with long run entry to the compromised server, researchers said.

Attack Evolution

Scientists initial observed Make sure you_Browse_ME attacks in January, in what they identified as the “first phase” of the attack. In this to start with period, victims were required to transfer BTC immediately to the attacker’s wallet.

MySQL server ransomware

The attack timeline. Credit score: Guardicore Labs

The second period of the ransomware campaign started out in October, which researchers reported marked an evolution in the campaign’s strategies, ways and techniques (TTPs). In the second period, the attack evolved into a double-extortion endeavor, researchers say – meaning attackers are publishing facts when pressuring victims to spend the ransom. Here, attackers put up a web site in the TOR network wherever payments can be produced. Victims paying out the ransom can be identified making use of tokens (as opposed to their IP/domain), scientists said.

“The web-site is a great instance of a double-extortion mechanism – it consists of all leaked databases for which ransom was not compensated,” stated researchers. “The web-site lists 250,000 diverse databases from 83,000 MySQL servers, with 7 TB of stolen information. Up until now, [we] captured 29 incidents of this variant, originating from seven various IP addresses.”

Ransomware attacks have continued to hammer hospitals, colleges and other organizations in 2020. The ransomware tactic of “double extortion” very first emerged in late 2019 by Maze operators – but has been rapidly adopted around the previous several months by different cybercriminals at the rear of the Clop, DoppelPaymer and Sodinokibi ransomware people.

Seeking forward, researchers alert that the Make sure you_Read through_ME operators are trying to up their activity by making use of double extortion at scale: “Factoring their procedure will render the marketing campaign a lot more scalable and lucrative,” they mentioned.

Place Ransomware on the Operate: Save your place for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to battle back. 

Get the latest from John (Austin) Merritt, Cyber Menace Intelligence Analyst at Electronic Shadows Limor Kessem, Govt Security Advisor, IBM Security and Israel Barak, CISO at Cybereason, on new kinds of attacks. Matters will involve the most risky ransomware danger actors, their evolving TTPs and what your firm demands to do to get forward of the following, unavoidable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.


Some components of this posting are sourced from:
threatpost.com

Previous Post: «Critical Cisco Jabber Bug Gets Updated Fix Critical Cisco Jabber Bug Gets Updated Fix
Next Post: Google sets a date for Chrome extension privacy revamp Google Sets A Date For Chrome Extension Privacy Revamp»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Recent Posts

  • Big Tech Bans Social Networking App
  • Lack of Funding Could Lead to “Lost Generation” of Cyber-Startups
  • Unveiled: SUNSPOT Malware Was Used to Inject SolarWinds Backdoor
  • ‘I’ll Teams you’: Employees assume security of links, file sharing via Microsoft comms platform
  • DarkSide decryptor unlocks systems without ransom payment – for now
  • Researchers see links between SolarWinds Sunburst malware and Russian Turla APT group
  • Millions of Social Profiles Leaked by Chinese Data-Scrapers
  • Feds will weigh whether cyber best practices were followed when assessing HIPAA fines
  • SolarWinds Hack Potentially Linked to Turla APT
  • 10 quick tips to identifying phishing emails

Copyright © TheCyberSecurity.News, All Rights Reserved.