Researchers at Guardicore Labs have uncovered a year-long malware-less ransomware campaign targeting millions of internet-facing MySQL databases.
The campaign, named PLEASE_READ_ME by researchers, has been going on since January 2020 and has utilized an “extremely simple” attack chain to carry out at least 92 separate attacks over the past year, with a sharp rise in volume since October.
Interestingly, the operators do not appear to be utilizing any actual ransomware payload in their attacks. It begins by brute forcing weak password protocols for MySQL databases, followed by collection of data on existing tables and users before installing a hidden backdoor on the way out to facilitate future break-ins.
“By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database,” write authors Ophir Harpaz and Omri Marom.
Guardicore Labs also spotted two distinct versions of this campaign. The first, between January and November 2020, composed roughly two-thirds of observed attacks and involved leaving a ransom note with a Bitcoin wallet address, a ransom demand, an email address for technical support and a 10-day deadline for payment. However, in leaving those breadcrumbs, the operators made it possible for researchers to poke around their Bitcoin wallet and examine how much money had been transferred to it. Ultimately, they traced nearly $25,000 in payments from four separate IP addresses.
The second variant, which ran throughout October and November, utilizes a website hidden behind a Tor router to facilitate ransom payment and gives victims an alphanumeric token to confirm their identities and link payment to their organization. This version does not provide a Bitcoin wallet or operator email, instead relying on “a full-fledged dashboard where victims can provide their token and make the payment.”
As a reminder and warning to the compromised about the consequences of not paying up, it also lists more than 250,000 databases from 83,000 MySQL servers and 77 terabytes of leaked data from those who refused to meet the ransom demand. There’s also a separate “Auction” section where visitors can buy a database for .03 Bitcoin, or about $541 at the current conversion rate to U.S. dollars.
This second variant streamlines the payment process, leaves fewer breadcrumbs for investigators to follow and allows the operators to more easily link a stolen database with the victim org through the alphanumeric code.
Unlike many ransomware campaigns, this isn’t an example of big game hunting that involves complex reconnaissance of a target organization or sector. Rather, it’s a largely automated operation that is indifferent about who it hits and makes money in smaller bits and bites by attacking as many of the 5 million internet-facing MySQL databases as it can.
“Attack campaigns of this sort are untargeted. They have no interest in the victim’s identity or size, and result in a much larger scale than that available for targeted attacks,” write Harpaz and Marom. “Think of it as ‘Factory Ransomware’ – the attackers run the attack, making less money per victim but factoring the number of infected machines.”
The company also posted Indicators of Compromise for the campaign to its GitHub repository.