According to a report published by Guardicore Labs this week,
thousands of vulnerable MySQL servers are being attacked by
cybercriminals using ransomware to obtain data from the
organization as a form of extortion before making the information public.
In this case, The group of cybercriminals are selling
Access to more than 250.000 databases stolen from organizations that have
refused to make payment, all this through a Dark Web marketplace.
The campaign that began in January of this year is still ongoing
Active. According to a cybersecurity expert, there are around 5
millions of MySQL servers exposed to the public internet, Fact that makes
that are possibly vulnerable to this or another type of attack.
PLEASE_READ_ME attacks can be divided into two phases
different attack, the first of them from January to October. In this first
Cybercriminals attacked the vulnerable MySQL server, Blocked
the data with ransomware and after blocking the information they contacted the
victim organization with a ransom note containing what was needed for the
Return of the data and a Bitcoin wallet to make the payment. How
General rule, This group gave 10 days to the victim to make the payment.
Researchers at Guardicore Labs conducted a
Investigation into the Bitcoin wallet where cybercriminals were asking
The rescue, After the investigation, they estimated that the attackers generated
around 25.000 $S in profits.
The second phase began in October, where the
criminals changed the strategy using double extortion, this
means that cybercriminals publish the stolen data as a way to
of pressuring the victim to make the ransom payment. In addition, The researchers
have pointed out that direct payment to a bitcoin wallet is no longer made, and
No communication via email is necessary. Instead, is placed
an anonymous Tor network website where payment can be made, the victims
identify with unique alphanumeric tokens that they receive in the ransom note.
On the website we also find all the databases
leaked ones for which the ransom was not paid. On the website there are about
250.000 databases other than 83.000 MySQL servers, a total of 7 TB
of stolen data.
For the moment, from Guardicore they have detected 29 Incidents
with this pattern, have been identified 7 different IP addresses in these
Attacks. The shift to the second phase has made it difficult to follow up on the
Attacks, due to the inability to monitor bitcoin wallets. In
The second phase of the Bitcoin wallet is hidden behind a
user on the web.