MySQL instances attacked by database blackmailers

Internet-facing instances of the popular MySQL information store are being targeted by attackers following similar attacks on insecure databases earlier this year.

Security vendor GuardiCore this month spotted hundreds of attacks emanating from a Dutch web hosting company. 

The attack itself relies on brute-forcing or guessing the root password for MySQL instances. If the attacker gets in to the MySQL database, a new table called "WARNING" with contact details for a ransom payment is added. In a variant of the attack, the ransom note table is called "PLEASE_READ".

After the ransom note tables are created, the attacker then deletes all databases found on the compromised server.

The ransom is 0.2 Bitcoin (A$297.50) to restore the data.

It is highly unlikely that the extortionists have copied over the information before deleting it.

"Before paying the ransom we strongly encourage you to verify that the attacker actually holds your data and that it can be restored. In the attacks we monitored we couldn’t find evidence of any dump operation or data exfiltration," GuardiCore said.

Despite this victims appear to have been paying the ransom, based on blockchain information for the different Bitcoin wallets used by the attackers. 

Whether or not the victims got their data back after paying the ransom is not clear.

Administrators are encouraged to minimise database exposure to the internet to avoid being hit by blackmailers and losing their data, and also to ensure use of strong passwords.