Digital attackers launched a brand new ransomware marketing campaign dubbed “PLEASE_READ_ME” in an effort to focus on MySQL servers.
Guardicore first noticed the assault again in January 2020. After that, it witnessed a complete of 92 assaults emanate from 11 IP addresses, with most based mostly in Eire and the UK on the time of study.
The safety agency discovered that every assault started the identical manner. As quoted in its analysis:
The assault begins with a password brute-force on the MySQL service. As soon as profitable, the attacker runs a sequence of queries within the database, gathering knowledge on current tables and customers. By the top of execution, the sufferer’s knowledge is gone – it’s archived in a zipped file which is shipped to the attackers’ servers after which deleted from the database. A ransom be aware is left in a desk named WARNING, demanding a ransom cost of as much as 0.08 BTC.
Over the course of its evaluation, Guardicore picked out two variants of the marketing campaign. The primary lasted from January to November 2020 and consisted of 63 assaults. Every of these cases concerned the supply of a ransom be aware together with a bitcoin pockets handle, an e mail handle for technical help and a 10-day window for the sufferer to pay.
These behind PLEASE_READ_ME had collected 24,906 USD on account of this variant on the time of Guardicore’s evaluation.
The second variant distributed with e mail communications and a bitcoin pockets handle. As a substitute, it directed recipients to go to a .ONION website. The location’s dashboard offered victims with the power to submit their an infection token with a view to pay their ransom. It additionally gave guests the power to purchase 250okay totally different databases from 83okay MySQL servers belonging to victims who didn’t pay.
A screenshot of the .ONION web site’s public sale web page. (Supply: Guardicore)
That variant, which began on October three and lasted via November, consisted of 29 assault cases involving seven IP addresses.
Information of this assault highlights the necessity for organizations to defend themselves in opposition to ransomware. They will accomplish that by following these steps with a view to stop a ransomware an infection from occurring within the first place.