decorative image illustrating mysql database ransomware attack
December 17, 2020

Understanding the PLEASE_READ_ME MySQL Database Ransomware


Database ransomeware like the recent PLEASE_READ_ME attack that compromised 250,000 MySQL databases are becoming more common. For those affected, the hackers are demanding a ransom of 0.08 BTC, or around 1435.17 USD.

In this blog, we'll discuss how this MySQL database ransomware attack works, who it affects, and how to minimize exposure for internet-facing open source databases and protect yourself from database ransomware attacks in the future.

Back to top

How Does the PLEASE_READ_ME MySQL Database Ransomware Work?

This database ransomware attack itself exploits weak credentials used to access the systems, a traditional brute force attack. Once inside the system, the attacker runs several queries gathering up data on users and existing tables. The data is packaged up, transferred to the attacker’s servers, then deleted from the database. What’s left after everything is all said and done is a single table named WARNING with the demand for bitcoin.

What makes this attack even more dangerous is how simple it is and the way it’s executed. Considered to be a ‘malwareless’ attack, the process uses zero binary payloads. It’s just a simple script that breaks in, steals the data and gets the heck out. The attacker is also leaving a back door so they can get back into the system if needed. The attack IP addresses are coming from the UK and Ireland, and the attack comes in two variants.

There are an estimated 5 million internet facing worldwide MySQL databases and it’s believed that the attackers have made nearly 25,000 USD thus far in 10 months of ransoms.

Back to top

Who Identified the Ransomware Attack?

Guardicore Global Sensors Network (GGSN) first detected this attack back in January of 2020 where directions to a bitcoin wallet and an email for tech support were left in a ransom note on the organizations database. This method was changed in November, with the victim instead directed to a TOR protected site with a payment option. This method is known as double extortion, since the databases of those unwilling to pay are published publicly, potentially causing far more damage in assets and liabilities than the amount of bitcoin demanded.

Back to top

How to Minimize Database Ransomware Exposure

If you’re going to have your database facing the internet, strong encryption, passwords, update policies and constant management are all requirements for preventing a ransomware attack like this one. One of the best ways to create strong, long, memorable passwords is by using the Diceware system.

Improving Password Strength With Diceware

Using five 6-sided dice, you roll dice to generate a 5-digit number that corresponds to a word list. This method of rolling dice to generate numbers ads a genuine level of enumeration to the words used in your password. After rolling the dice 5-6 times and adding in some numbers and special characters, you have a 20+ character password that’s easy to remember and strong enough to outlast any brute force attack. There are word lists for multiple languages and the Electronic Frontier Foundation has even published their own word lists to be used as well. In addition to creating strong passwords for enterprise security, Diceware can be used for your own personal passwords as well and comes highly recommended by the OpenLogic team. 

Back to top

Final Thoughts

The PLEASE_READ_ME MySQL database ransomware shows the importance of using strong encryption, passwords, and update policies. Using tools like Diceware to create memorable, secure passwords can be a  good first step toward improving your internal password best practices.

Need further guidance on securing your application? Our database support experts can help to assess your current infrastructure and chart a path to security best practices. Talk to an expert today to get started.


Additional Resources

If you're looking for additional information on application security best practices, be sure to check out this webinar:


Back to top