Sunday, April 27, 2025
HomeRansomwareRansomware Now Attacking MySQL Databases

Ransomware Now Attacking MySQL Databases

Published on

SIEM as a Service

Follow Us on Google News

Early this year, specialists cautioned of a spike in quantity of attacks against MongoDB frameworks, criminals asked for the payment of a ransom to return information and help the organization to settle the defect they abused.

So also to the MongoDB attacks, owners are told to pay a 0.2 Bitcoin to deliver (approx. $200) to recover access to their content.

Attack Summary

Investigators from guardicore reported that attacks began at midnight at 00:15 on February 12 and kept going around 30 hours in which many attacks were accounted for by GGSN.

- Advertisement - Google News

The attack begins with “root” password brute-forcing. Once signed in, it brings a rundown of the current MySQL databases and their tables.

Then it makes another table called “WARNING” that incorporates a contact email address, a bitcoin address, and a payment demand.

Investigators traced down the source IP 109.236.88.20, an IP address hosted by worldstream.nl, a Netherlands-based web hosting organization.

The attacker is (likely) running from a compromised mail server which additionally fills in as HTTP(s) and FTP server.

Attack Variants

  • In one variation of the attack, the table is added to a current database.
  • In Another variation, the table is added to a recently made database called ‘PLEASE_READ‘.
INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email)
VALUES(‘1′,’Send 0.2 BTC to this address and contact this email
with your ip or db_name of your server to recover your database!
Your DB is Backed up to our servers!’,
‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘backupservice@mail2tor.com’)
INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9
AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE!
SQL DUMP WILL BE AVAILABLE AFTER PAYMENT!
To access this site you have use the tor browser
https://www.torproject.org/projects/torbrowser.html.en’)
  1. One version offers the victims to reestablish their information by reaching the accompanying email address – ‘backupservice@mail2tor.com‘ and uses the Bitcoin wallet 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9.
  2. The second version offers the owners to visit the accompanying darknet site ‘http://sognd75g4isasu2v.onion/” to recoup the lost information and uses the Bitcoin wallet 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY .
Ransomware Now Attacking MySQL Databases

As there are no traces for dump operation or data exfiltration happened.

Experts from guardicore before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored.

Prevention method suggested by Experts

Every MySQL server facing the internet is prone to this attack, so make sure your servers are hardened.

Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice.

Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This can be easily achieved using GuardiCore Centra.

Also read:

Latest articles

Two Systemic Jailbreaks Uncovered, Exposing Widespread Vulnerabilities in Generative AI Models

Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to...

New AI-Generated ‘TikDocs’ Exploits Trust in the Medical Profession to Drive Sales

AI-generated medical scams across TikTok and Instagram, where deepfake avatars pose as healthcare professionals...

Gamers Beware! New Attack Targets Gamers to Deploy AgeoStealer Malware

The cybersecurity landscape faces an escalating crisis as AgeoStealer joins the ranks of advanced...

Compliance And Governance: What Every CISO Needs To Know About Data Protection Regulations

The cybersecurity landscape has changed dramatically in recent years, largely due to the introduction...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

Threat Actors Target Organizations in Thailand with Ransomware Attacks

Thailand is experiencing a significant escalation in ransomware attacks, with both state-sponsored advanced persistent...

Verizon DBIR Report: Small Businesses Identified as Key Targets in Ransomware Attacks

Verizon Business's 2025 Data Breach Investigations Report (DBIR), released on April 24, 2025, paints...