Internet-connected MySQL databases around the world are being targeted by a double extortion ransomware campaign that researchers have dubbed PLEASE_READ_ME.
The campaign, which dates back to at least January 2020, was detected by researchers at Guardicore Labs. So far, it has breached more than 83,000 of the more than five million internet-facing MySQL databases in existence worldwide.
Simple but effective in its approach, the campaign uses file-less ransomware to exploit weak credentials in MySQL servers. After gaining entry, the attackers lock the databases and steal data.
The attack is a double extortion because its authors use two different tactics to turn a profit. First, they try to blackmail the database owners into handing over money to retrieve access to their data. Second, they sell the stolen data online to the highest bidder.
Researchers noted that the attackers have been able to offer over 250,000 databases for sale on a dark web auction site so far.
The attackers leave a backdoor user on the database for persistence, allowing them to re-access the network whenever the mood strikes them.
Researchers were able to trace the origins of the attacks to 11 different IP addresses, the majority of which are based in Ireland and the UK.
Since spotting the first attack on January 24, the Guardicore Global Sensors Network (GGSN) has reported a total of 92 attacks. Since October, the rate at which attacks are being launched has risen steeply.
Two variants have been used over the campaign’s lifetime, showing an evolution in the attackers’ tactics. The first was used from January to the end of November for 63 attacks, and the second phase kicked off on October 3, halting at November’s end.
In phase one, the attackers left a ransom note with their wallet address, the amount of Bitcoin to pay, and an email address for technical support. Victims were given 10 days to pay up.
“We found that a total of 1.2867640900000001 BTC had been transferred to these wallets, equivalent to 24,906 USD,” noted researchers.
In the second phase, the attackers ditched the Bitcoin wallet in favor of a website in the TOR network where payment could be made.