decorative image illustrating mysql database ransomware attack

December 17, 2020

Understanding the PLEASE_READ_ME MySQL Database Ransomware

Security

Databases

MySQL is again making headlines, this time due to a new MySQL database ransomware attack that has compromised 250,000 databases. For those affected by the attack, the ransomers are demanding a ransom of 0.08 BTC, or around 1435.17 USD.

In this blog, we'll discuss how the attack works, who it affects, and how to minimize exposure for internet facing databases.

How It Works
Who Identified the Ransomware
How to Minimize Exposure
Final Thoughts
Additional Resources

How Does the PLEASE_READ_ME MySQL Database Ransomware Work?

The attack itself exploits weak credentials used to access the systems, a traditional brute force attack. Once inside the system, the attacker runs several queries gathering up data on users and existing tables. The data is packaged up, transferred to the attacker’s servers, then deleted from the database. What’s left after everything is all said and done is a single table named WARNING with the demand for bitcoin.

What makes this attack even more dangerous is how simple it is and the way it’s executed. Considered to be a ‘malwareless’ attack, the process uses zero binary payloads. It’s just a simple script that breaks in, steals the data and gets the heck out. The attacker is also leaving a back door so they can get back into the system if needed. The attack IP addresses are coming from the UK and Ireland, and the attack comes in two variants.

There are an estimated 5 million internet facing worldwide MySQL databases and it’s believed that the attackers have made nearly 25,000 USD thus far in 10 months of ransoms.

Who Identified the Attack?

Guardicore Global Sensors Network (GGSN) first detected this attack back in January of 2020 where directions to a bitcoin wallet and an email for tech support were left in a ransom note on the organizations database. This method was changed in November, with the victim instead directed to a TOR protected site with a payment option. This method is known as double extortion, since the databases of those unwilling to pay are published publicly, potentially causing far more damage in assets and liabilities than the amount of bitcoin demanded.

How to Minimize Database Ransomware Exposure

If you’re going to have your database facing the internet, strong encryption, passwords, update policies and constant management are all requirements for preventing an attack like this one. One of the best ways to create strong, long, memorable passwords is by using the Diceware system.

Improving Password Strength With Diceware

Using five 6-sided dice, you roll dice to generate a 5-digit number that corresponds to a word list. This method of rolling dice to generate numbers ads a genuine level of enumeration to the words used in your password. After rolling the dice 5-6 times and adding in some numbers and special characters, you have a 20+ character password that’s easy to remember and strong enough to outlast any brute force attack. There are word lists for multiple languages and the Electronic Frontier Foundation has even published their own word lists to be used as well. In addition to creating strong passwords for enterprise security, Diceware can be used for your own personal passwords as well and comes highly recommended by the OpenLogic team.

Final Thoughts

The PLEASE_READ_ME MySQL database ransomware shows the importance of using strong encryption, passwords, and update policies. Using tools like Diceware to create memorable, secure passwords can be a good first step toward improving your internal password best practices.

Need further guidance on securing your application? Our open source experts can help to assess your current infrastructure and chart a path to security best practices. Talk to an expert today to get started.

TALK TO AN EXPERT