Researchers are warning on an active ransomware campaign that’s targeting MySQL database servers. The ransomware, called PLEASE_READ_ME, has thus far breached at least 85,000 servers worldwide – and has posted at least 250,000 stolen databases on a website for sale.
MySQL is an open-source relational database management system. The attack exploits weak credentials on internet-facing MySQL servers, of which there are close to 5 million worldwide. Since first observing the ransomware campaign in January, researchers said that attackers have switched up their techniques to put more pressure on victims and to automate the payment process for the ransom.
“The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users,” said Ophir Harpaz and Omri Marom, researchers with Guardicore Labs, in a Thursday post. “By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database.”
From there, the attacker leaves a ransom note in a table, named “WARNING,” which demands a ransom payment of up to 0.08 BTC. The ransom note tells victims (verbatim), “Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise.”
Researchers believe that the attackers behind this campaign have made at least $25,000 in the first 10 months of the year.
Researchers said that PLEASE_READ_ME (so-called because it’s the name of the database that the attackers create on a compromised server) is an example of an untargeted, transient ransomware attack that does not spend time in the network besides targeting what’s required for the actual attack – meaning there’s typically no lateral movement involved.
The attack may be simple, but it’s also dangerous, researchers warned, because it’s almost fileless. “There are no binary payloads involved in the attack chain, making the attack ‘malwareless,'” they said. “Only a simple script which breaks in the database, steals information and leaves a message.”
That said, a backdoor user mysqlbackups’@’%’ is added to the database for persistence, providing the attackers with future access to the compromised server, researchers said.
Attack Evolution
Researchers first observed PLEASE_READ_ME attacks in January, in what they called the “first phase” of the attack. In this first phase, victims were required to transfer BTC directly to the attacker’s wallet.
The second phase of the ransomware campaign started in October, which researchers said marked an evolution in the campaign’s techniques, tactics and procedures (TTPs). In the second phase, the attack evolved into a double-extortion attempt, researchers say – meaning attackers are publishing data while pressuring victims to pay the ransom. Here, attackers put up a website in the TOR network where payments can be made. Victims paying the ransom can be identified using tokens (as opposed to their IP/domain), researchers said.
“The website is a good example of a double-extortion mechanism – it contains all leaked databases for which ransom was not paid,” said researchers. “The website lists 250,000 different databases from 83,000 MySQL servers, with 7 TB of stolen data. Up till now, [we] captured 29 incidents of this variant, originating from seven different IP addresses.”
Ransomware attacks have continued to hammer hospitals, schools and other organizations in 2020. The ransomware tactic of “double extortion” first emerged in late 2019 by Maze operators – but has been rapidly adopted over the past few months by various cybercriminals behind the Clop, DoppelPaymer and Sodinokibi ransomware families.
Looking forward, researchers warn that the PLEASE_READ_ME operators are trying to up their game by using double extortion at scale: “Factoring their operation will render the campaign more scalable and profitable,” they said.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.