Back in January, we have heard about the MongoDB ransomware which erased the data from thousands of computers and also forced the victims to the pay ransom. The very same MongoDB ransomware is back in the news now and it is even more powerful and this campaign is also very sophisticated in its design. In a recent attack spree, hundreds of the MySQL databases are targeted and the attackers are demanding 0.2 bitcoin (nearly. $234) from the victim.
It can also be noted that the GuardiCore which started attack with cyber-criminals brute-forcing root password of MySQL database and after logging in tables from their database are extracted. In fact, there are two different versions of these attacks; in first version, the attackers will add a new table by the name WARNING to an already existing database.
The new table will have all the information about demanded ransom, email address of these hackers and also Bitcoin payment address. The second version is a different one as in this, a new table with the name PLEASE_READ is added to the newly created database and later, hacker will delete the pre-existing databases on server and just disconnects. This PLEASE_READ will contain a ransom note and the database is sent to hacker’s servers. In both versions, the victims are asked to pay a ransom of 0.2 BTC and are required to communicate with attackers at the address [email protected].
Yesterday we started detecting new #Ransomware hitting #MySQL @guardicore's Global Sensor Network. Fill follow up with more data soon. pic.twitter.com/5Vyvs6Q5gU
— ????? ??????? (@PashaGur) February 13, 2017
According toGuardiCore’s findings, all these attacks started occurring from the 12th February and they continued to attack the MySQL servers for almost 30 hours where one IP address 109.236.88.20 was identified to be involved.
The further analysis suggested that this IP address belongs to web server hosting service provider firm from the Netherlands bearing name WorldStream. GuardiCore notified them about the attacks as former believed that involved attackers have compromised a mail server of the latter as it serves as both HTTP(s) and FTP server.