Ransomware hits MySQL Servers

    2013

    A ransomware attack was launched on hundreds of MySQL Servers last week which can be treated as an evolution of MongoDB cyber attack. And the news is out that the cyber crooks who launched the attack are demanding a 0.2 bitcoins to unlock the servers which account to $234.

    As per the report prepared by a security vendor known GuardiCore, every month, tens of MySQL servers are targeted by hackers. But now, the situation has grimed and has reached a point where the infected server’s number has surged to 1400.

    Guardicore mentioned in its media briefing that the attack began on February 12th and lasted for 30 hours. Then it was re-launched in an intense way on February 20, 2017.  And the IP address used by the hackers was 109.236.88.20 and belongs to a Netherlands-based web hosting company called WorldStream. The attack started as a brute-force attack after gaining access to the root password for the MySQL database.

    Guardicore suspects that the attack took place from a compromised mail server which also serves as Https and FTP servers. And the attack was launched in two phases. In the first phase, a new table called “Warning” was created and was added to the existing database. The message reads out an email address, a 0.2 bitcoin ransom and the bitcoin address to which the cryptocurrency must be transferred.

    If the victim fails to react, then the table called “Please Read” is added to the infected database. The attack then deletes all the data on the database and disconnects the server from further access. Perhaps, this step is initiated in order to make the victim believe that his/her server is really compromised.

    But GuardiCore believes that the server might never recover from this stage even if the victim pays the ransom thereafter due to lack of backup.

    If in case, the victim decides to pay the ransom, then they are asked to visit a dark web portal via TOR browser and are being asked to click on the link of check payment and get a link to the database backup.

    GuardiCore wants all the victims of ransomware infected MySQL servers to first check the authenticity of the hack and then proceed for the payment.

    The only recommendation which the security provider wants to make to the server admin is to use strong passwords and go for 2-way authentication strategy to prevent such ransomware enter into the network.

    Ad
    Naveen Goud
    Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

    No posts to display