Database Ransomware Attackers Migrate to MySQL

Security experts are warning of a new wave of ransomware attacks affecting hundreds of MySQL database installations.

GuardiCore researcher Ofri Ziv explained that the latest campaign is an evolution of the one spotted earlier this year targeting MongoDB installations.

The 30-hour blitz started on 12 February and was traced back to an IP address hosted by Dutch firm WorldStream.

“The attacker is (probably) running from a compromised mail server which also serves as HTTP(s) and FTP server. Worldstream was notified a few days after we reported the attack,” noted Ziv.

After brute forcing the root password, the attackers fetched a list of existing MySQL databases and created a new table labelled “WARNING” or a new database labelled “PLEASE_READ.”

These contain email address, a bitcoin address and a payment demand.

The attackers then delete the original database and disconnect. Like the MongoDB campaign, the black hats are after 0.2BTC, which is around $200 to regain access to the deleted content.

Victims are either encouraged to contact an email address or visit a darknet site to recover the database.

Aside from periodic data back-ups, Ziv recommended the following:

“Every MySQL server facing the internet is prone to this attack, so ensure your servers are hardened. Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice. Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach.”

Tripwire senior security research engineer, Travis Smith, explained that the evolution of MongoDB to MySQL is to be expected, given that databases hold some of the most sensitive information on the internet.

“When installing MySQL, you’re prompted for a password which protects against ransomware attacks. What these attackers are doing is guessing the root password via brute force attacks.  In practice, this is a very inefficient attack vector,” he added.  

"MySQL can provide decent security out of the box, with enhanced protections available quite easily. By issuing the mysql_secure_installation command, users can follow a walk through on hardening their installations to protect against attacks like this. A good rule of thumb is protecting the root account with a long and complex password in addition to preventing login from the internet, preferably only allowing local authentications.”

What’s Hot on Infosecurity Magazine?