December 17, 2020 Understanding the PLEASE_READ_ME MySQL Database RansomwareSecurityDatabasesBy Andrew PomponioMySQL is again making headlines, this time due to a new MySQL database ransomware attack that has compromised 250,000 databases. For those affected by the attack, the ransomers are demanding a ransom of 0.08 BTC, or around 1435.17 USD.In this blog, we'll discuss how the attack works, who it affects, and how to minimize exposure for internet facing databases.How It WorksWho Identified the RansomwareHow to Minimize ExposureFinal ThoughtsAdditional ResourcesHow Does the PLEASE_READ_ME MySQL Database Ransomware Work?The attack itself exploits weak credentials used to access the systems, a traditional brute force attack. Once inside the system, the attacker runs several queries gathering up data on users and existing tables. The data is packaged up, transferred to the attacker’s servers, then deleted from the database. What’s left after everything is all said and done is a single table named WARNING with the demand for bitcoin.What makes this attack even more dangerous is how simple it is and the way it’s executed. Considered to be a ‘malwareless’ attack, the process uses zero binary payloads. It’s just a simple script that breaks in, steals the data and gets the heck out. The attacker is also leaving a back door so they can get back into the system if needed. The attack IP addresses are coming from the UK and Ireland, and the attack comes in two variants.There are an estimated 5 million internet facing worldwide MySQL databases and it’s believed that the attackers have made nearly 25,000 USD thus far in 10 months of ransoms.Who Identified the Attack?Guardicore Global Sensors Network (GGSN) first detected this attack back in January of 2020 where directions to a bitcoin wallet and an email for tech support were left in a ransom note on the organizations database. This method was changed in November, with the victim instead directed to a TOR protected site with a payment option. This method is known as double extortion, since the databases of those unwilling to pay are published publicly, potentially causing far more damage in assets and liabilities than the amount of bitcoin demanded.How to Minimize Database Ransomware ExposureIf you’re going to have your database facing the internet, strong encryption, passwords, update policies and constant management are all requirements for preventing an attack like this one. One of the best ways to create strong, long, memorable passwords is by using the Diceware system.Improving Password Strength With DicewareUsing five 6-sided dice, you roll dice to generate a 5-digit number that corresponds to a word list. This method of rolling dice to generate numbers ads a genuine level of enumeration to the words used in your password. After rolling the dice 5-6 times and adding in some numbers and special characters, you have a 20+ character password that’s easy to remember and strong enough to outlast any brute force attack. There are word lists for multiple languages and the Electronic Frontier Foundation has even published their own word lists to be used as well. In addition to creating strong passwords for enterprise security, Diceware can be used for your own personal passwords as well and comes highly recommended by the OpenLogic team. Final ThoughtsThe PLEASE_READ_ME MySQL database ransomware shows the importance of using strong encryption, passwords, and update policies. Using tools like Diceware to create memorable, secure passwords can be a good first step toward improving your internal password best practices.Need further guidance on securing your application? Our open source experts can help to assess your current infrastructure and chart a path to security best practices. Talk to an expert today to get started.TALK TO AN EXPERTAdditional ResourcesIf you're looking for additional information on application security best practices, be sure to check out this webinar: Blog - TLS Raccoon Attack: What You Need to KnowBlog - Debunking OSS Security MythsNewsletter - OpenUpdate Weekly News and Security UpdatesWebinar - Application Security Basics
Andrew PomponioAssociate Enterprise Architect, OpenLogic by Perforce Andrew's areas of specialization include networking, Linux, network security including OpenSSL, and operational troubleshooting. He has been working in the industry for over seven years and is acquiring new skills every day.