Earlier in January, we heard about MongoDB ransomware that erased data from not hundreds but thousands of computers and forced the victims to pay ransom money. The same MongoDB ransomware is now back in the news but this time, it is even more powerful and the campaign is also quite sophisticated in design. In the recent attack spree, hundreds of MySQL databases have been targeted and attackers are demanding 0.2 bitcoin (approx. $234) from each victim.
It was also noted by GuardiCore that the attack started with cyber-criminals brute-forcing the root password of the MySQL database and after logging in the tables from the database were extracted. In fact, two different versions of these attacks have been identified; in the first version, the attackers add a new table by the name WARNING to the already existing database.
This new table contains information about the demanded ransom, email address of the attackers and Bitcoin payment address. The second version is different as in this one a new table bearing the name PLEASE_READ is added to a newly created database and afterward, the attacker deletes the pre-existing databases on the server and simply disconnects. PLEASE_READ also contains a ransom note while the database is sent to the attacker’s servers. In both the versions, victims are asked to pay 0.2 BTC as ransom and they are required to communicate with the attackers at the same address backupservice@
Yesterday we started detecting new #Ransomware hitting #MySQL @guardicore's Global Sensor Network. Fill follow up with more data soon. pic.twitter.com/5Vyvs6Q5gU
— 𝙿𝚊𝚟𝚎𝚕 𝙶𝚞𝚛𝚟𝚒𝚌𝚑 (@PashaGur) February 13, 2017
According to the GuardiCore’s findings, these attacks started occurring from 12th February and continued to attack MySQL servers for 30 hours where one IP address 109.236.88.20 was identified to be involved.
Bitcoin wallet mentioned in ransom note / Source: GuardiCore
The analysis further suggests that this IP address belongs to a web server hosting service provider firm from Netherlands namely WorldStream. GuardiCore notified WorldStream about the attacks as the former believed that the involved attackers have compromised a mail server of the latter as it serves as both HTTP(s) and FTP server.
It is worth noting that two distinct bitcoin wallets are being used for each version of the attack and some have already paid the ransom. In this regard, GuardiCore has some suggestions for the victims. The company states that prior to paying the ransom, it is important to confirm whether the attacker has your data in a restorable form or not because their analysis revealed that there was no evidence of data exfiltration at all.
Moreover, it is important to secure MySQL servers’ by augmenting its protection level so as to ensure that such attacks do not occur in the future. This can be achieved by ensuring stronger passwords and implementing authentication of the servers. GuardiCore itself also offers monitoring services for securing MySQL servers, which you can use to protect them.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.
