[ad_1]
Researchers at Guardicore Labs have uncovered a year-long malware-free ransomware campaign targeting millions of MySQL databases on the Internet.
The campaign, dubbed PLEASE_READ_ME by the researchers, has been underway since January 2020 and has used an “extremely simple” attack chain to carry out at least 92 separate attacks over the past year, with a sharp increase in volume since October.
Interestingly, the operators do not appear to be using any actual ransomware payload in their attacks. It begins with weak brute-force password protocols for MySQL databases, followed by gathering data on existing tables and users before installing a hidden back door at the exit to facilitate future thefts.
“At the end of the execution, the victim’s data disappears, is archived in a compressed file that is sent to the attackers’ servers, and then removed from the database,” write authors Ophir Harpaz and Omri Marom.
Guardicore Labs also detected two different versions of this campaign. The first, between January and November 2020, made up about two-thirds of the observed attacks and involved leaving a ransom note with a Bitcoin wallet address, a ransom request, an email address for technical support, and a deadline for 10 day payment. However, by leaving those breadcrumbs behind, the traders made it possible for researchers to rummage through their Bitcoin wallet and examine how much money had been transferred to it. In the end, they tracked down nearly $ 25,000 in payments from four separate IP addresses.
The second variant, which ran during October and November, uses a website hidden behind a Tor router to facilitate the payment of the ransom and gives victims an alphanumeric token to confirm their identities and link the payment to their organization. This version does not provide a Bitcoin wallet or operator email, but rather relies on “a complete control panel where victims can provide their token and make payment.”
As a reminder and warning to the compromised of the consequences of not paying, it also lists more than 250,000 databases from 83,000 MySQL servers and 77 terabytes of leaked data from those who refused to comply with the ransom demand. There is also a separate “Auction” section where visitors can purchase a database for .03 Bitcoin, or around $ 541 at the current conversion rate to US dollars.
This second variant streamlines the checkout process, leaves fewer navigation paths for investigators to follow, and allows operators to more easily link a stolen database to the victim’s organization via alphanumeric code.
Unlike many ransomware campaigns, this is not an example of big game that involves complex recognition of a target organization or industry. Rather, it is a largely automated operation that is indifferent about who it hits and makes money in smaller chunks by attacking as many of the 5 million MySQL databases facing the internet as possible.
“Attack campaigns of this type are not targeted. They have no interest in the identity or size of the victim, and result on a much larger scale than is available for targeted attacks, ”write Harpaz and Marom. “Think of it as ‘Factory Ransomware’: the attackers execute the attack, earning less money per victim but taking into account the number of infected machines.”
The company also posted Indicators of Engagement for the campaign on its GitHub repository.
