[BreachExchange] PLEASE_READ_ME Ransomware Attacks 85K MySQL Servers

[Destry Winant]

https://threatpost.com/please_read_me-ransomware-mysql-servers/162136/

Ransomware actors behind the attack have breached at least 85,000
MySQL servers, and are currently selling at least compromised 250,000
databases.

Researchers are warning on an active ransomware campaign that’s
targeting MySQL database servers. The ransomware, called
PLEASE_READ_ME, has thus far breached at least 85,000 servers
worldwide – and has posted at least 250,000 stolen databases on a
website for sale.

MySQL is an open-source relational database management system. The
attack exploits weak credentials on internet-facing MySQL servers, of
which there are close to 5 million worldwide. Since first observing
the ransomware campaign in January, researchers said that attackers
have switched up their techniques to put more pressure on victims and
to automate the payment process for the ransom.

Click to register.

“The attack starts with a password brute-force on the MySQL service.
Once successful, the attacker runs a sequence of queries in the
database, gathering data on existing tables and users,” said Ophir
Harpaz and Omri Marom, researchers with Guardicore Labs, in a Thursday
post. “By the end of execution, the victim’s data is gone – it’s
archived in a zipped file which is sent to the attackers’ servers and
then deleted from the database.”

>From there, the attacker leaves a ransom note in a table, named
“WARNING,” which demands a ransom payment of up to 0.08 BTC. The
ransom note tells victims (verbatim), “Your databases are downloaded
and backed up on our servers. If we dont receive your payment in the
next 9 Days, we will sell your database to the highest bidder or use
them otherwise.”

Researchers believe that the attackers behind this campaign have made
at least $25,000 in the first 10 months of the year.

Researchers said that PLEASE_READ_ME (so-called because it’s the name
of the database that the attackers create on a compromised server) is
an example of an untargeted, transient ransomware attack that does not
spend time in the network besides targeting what’s required for the
actual attack – meaning there’s typically no lateral movement
involved.

The attack may be simple, but it’s also dangerous, researchers warned,
because it’s almost fileless. “There are no binary payloads involved
in the attack chain, making the attack ‘malwareless,'” they said.
“Only a simple script which breaks in the database, steals information
and leaves a message.”

That said, a backdoor user mysqlbackups’@’%’ is added to the database
for persistence, providing the attackers with future access to the
compromised server, researchers said.

Attack Evolution

Researchers first observed PLEASE_READ_ME attacks in January, in what
they called the “first phase” of the attack. In this first phase,
victims were required to transfer BTC directly to the attacker’s
wallet.

The attack timeline. Credit: Guardicore Labs

The second phase of the ransomware campaign started in October, which
researchers said marked an evolution in the campaign’s techniques,
tactics and procedures (TTPs). In the second phase, the attack evolved
into a double-extortion attempt, researchers say – meaning attackers
are publishing data while pressuring victims to pay the ransom. Here,
attackers put up a website in the TOR network where payments can be
made. Victims paying the ransom can be identified using tokens (as
opposed to their IP/domain), researchers said.

“The website is a good example of a double-extortion mechanism – it
contains all leaked databases for which ransom was not paid,” said
researchers. “The website lists 250,000 different databases from
83,000 MySQL servers, with 7 TB of stolen data. Up till now, [we]
captured 29 incidents of this variant, originating from seven
different IP addresses.”

Ransomware attacks have continued to hammer hospitals, schools and
other organizations in 2020. The ransomware tactic of “double
extortion” first emerged in late 2019 by Maze operators – but has been
rapidly adopted over the past few months by various cybercriminals
behind the Clop, DoppelPaymer and Sodinokibi ransomware families.

Looking forward, researchers warn that the PLEASE_READ_ME operators
are trying to up their game by using double extortion at scale:
“Factoring their operation will render the campaign more scalable and
profitable,” they said.