Security News > 2020 > December > 'Malwareless' ransomware campaign operators pwned 83k victims' MySQL servers, 250k databases up for sale
A "Malwareless" ransomware campaign delivered from UK IP addresses targeting weak security controls around internet-facing SQL servers successfully pwned 83,000 victims, according to Israeli infosec biz Guardicore.
"The attack chain is extremely simple and exploits weak credentials on internet-facing MySQL servers" said Guardicore's Ophir Harpaz in a technical advisory today, estimating that there around five million MySQL servers accessible from the public internet.
Once the database servers are compromised, the miscreants operating the campaign begin a so-called "Double extortion" attack, threatening to publish data exfiltrated from the SQL silos unless victims pay a ransom, which also apparently will lead to the restoration of that data.
Around 1.2 Bitcoins was deposited to wallet addresses mentioned in ransom notes seen by Guardicore's researchers, with a total of 250,000 breached databases being offered for sale.
"The website is a good example of a double extortion mechanism - it contains all leaked databases for which ransom was not paid. The website lists 250k different databases from 83k MySQL servers, with 7TB of stolen data. Up till now, captured 29 incidents of this variant, originating from 7 different IP addresses," added Harpaz.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/12/10/mysql_malwareless_ransomware/
Related news
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Linux version of new Cicada ransomware targets VMware ESXi servers (source)
- VMware ESXi Servers Targeted by New Ransomware Variant from Cicada3301 Group (source)