Wednesday, April 2, 2025
HomeRansomwareRansomware Now Attacking MySQL Databases

Ransomware Now Attacking MySQL Databases

Published on

SIEM as a Service

Follow Us on Google News

Early this year, specialists cautioned of a spike in quantity of attacks against MongoDB frameworks, criminals asked for the payment of a ransom to return information and help the organization to settle the defect they abused.

So also to the MongoDB attacks, owners are told to pay a 0.2 Bitcoin to deliver (approx. $200) to recover access to their content.

Attack Summary

Investigators from guardicore reported that attacks began at midnight at 00:15 on February 12 and kept going around 30 hours in which many attacks were accounted for by GGSN.

The attack begins with “root” password brute-forcing. Once signed in, it brings a rundown of the current MySQL databases and their tables.

Then it makes another table called “WARNING” that incorporates a contact email address, a bitcoin address, and a payment demand.

Investigators traced down the source IP 109.236.88.20, an IP address hosted by worldstream.nl, a Netherlands-based web hosting organization.

The attacker is (likely) running from a compromised mail server which additionally fills in as HTTP(s) and FTP server.

Attack Variants

  • In one variation of the attack, the table is added to a current database.
  • In Another variation, the table is added to a recently made database called ‘PLEASE_READ‘.
INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email)
VALUES(‘1′,’Send 0.2 BTC to this address and contact this email
with your ip or db_name of your server to recover your database!
Your DB is Backed up to our servers!’,
‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘backupservice@mail2tor.com’)
INSERT INTO `WARNING`(id, warning)
VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9
AND GO TO THIS SITE http://sognd75g4isasu2v.onion/ TO RECOVER YOUR DATABASE!
SQL DUMP WILL BE AVAILABLE AFTER PAYMENT!
To access this site you have use the tor browser
https://www.torproject.org/projects/torbrowser.html.en’)
  1. One version offers the victims to reestablish their information by reaching the accompanying email address – ‘backupservice@mail2tor.com‘ and uses the Bitcoin wallet 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9.
  2. The second version offers the owners to visit the accompanying darknet site ‘http://sognd75g4isasu2v.onion/” to recoup the lost information and uses the Bitcoin wallet 1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY .
Ransomware Now Attacking MySQL Databases

As there are no traces for dump operation or data exfiltration happened.

Experts from guardicore before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored.

Prevention method suggested by Experts

Every MySQL server facing the internet is prone to this attack, so make sure your servers are hardened.

Also, make sure your servers require authentication and that strong passwords are in use. Minimizing internet facing services, particularly those containing sensitive information is also a good practice.

Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. This can be easily achieved using GuardiCore Centra.

Also read:

Latest articles

Sliver Framework Customized Enhances Evasion and Bypasses EDR Detection

The Sliver Command & Control (C2) framework, an open-source tool written in Go, has...

Ransomware Threatens 93% of Industries— Resilience Is Critical

Ransomware continues to be one of the most disruptive cyber threats, with recent data...

New Surge of IRS-Themed Attacks Targets Taxpayers’ Mobile Devices

As the U.S. tax filing deadline approaches, cybercriminals are intensifying their efforts to exploit...

KoiLoader Exploits PowerShell Scripts to Drop Malicious Payloads

Cybersecurity experts at eSentire's Threat Response Unit (TRU) uncovered a sophisticated malware campaign leveraging...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Ransomware Threatens 93% of Industries— Resilience Is Critical

Ransomware continues to be one of the most disruptive cyber threats, with recent data...

Weaponized Zoom Installer Used by Hackers to Gain RDP Access and Deploy BlackSuit Ransomware

Cybersecurity researchers have uncovered a sophisticated attack campaign where threat actors utilized a trojanized...

Beware! A Fake Zoom Installer Drops BlackSuit Ransomware on Your Windows Systems

Cybersecurity analysts have uncovered a sophisticated campaign exploiting a fake Zoom installer to deliver...