Ransomware Attacks On Website Database Hit MySQL Servers
Cyber Criminals are hijacking hundreds of MySQL databases through Ransomware And asking to pay 0.2 BTC ($235).
According to security research team of GuardiCore, the attacks are applying via brute-force attacks in Internet-exposed MySQL server. Attacks mostly comes from Netherland Server.
The attacks started at midnight at 00:15 on February 12 and lasted about 30 hours in which hundreds of attacks were reported by GGSN. Security researchers able to trace all the attacks to 188.8.131.52, an IP address hosted by worldstream.nl, a Netherlands-based web hosting company. The attacker is (probably) running from a compromised mail server which also serves as HTTP(s) and FTP server. Worldstream was notified a few days after we reported the attack.
The attack starts with ‘root’ password brute-forcing. Once logged-in, it fetches a list of the existing MySQL databases and their tables and creates a new table called ‘WARNING’ that includes a contact email address, a bitcoin address and a payment demand.
Following note asking for Ransom
INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email) VALUES(‘1′,’Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!’, ‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘[email protected]’)
INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE! SQL DUMP WILL BE AVAILABLE AFTER PAYMENT! To access this site you have use the tor browser https://www.torproject.org/projects/torbrowser.html.en’)
Cyber attackers have own websites one is mail2tor.com and another one is DarkNet website.
How to Protect?
- If your website is running on MySQL server then be sure your servers are protected.
- Be sure you keep strong passwords.
- Keep backup everyday, weekly or monthly.