- EU, NIS2 사이버 보안 지침 발효··· 전문가들 “다분야 접근 필요한 과제”
- Collaborations between public and private organizations will be vital for the UAE to deliver on digital agenda
- Announcing IBM Granite AI Models Now Available on Docker Hub | Docker
- SK쉴더스, '일렉트론' 애플리케이션 취약점 연구 보고서 공개
- KINX, 과천 데이터센터 개관··· "국내외 KINX 네트워크 플랫폼의 새로운 핵심"
PLEASE_READ_ME Ransomware Campaign Targeting MySQL Servers
Digital attackers launched a new ransomware campaign dubbed “PLEASE_READ_ME” in an effort to target MySQL servers.
Guardicore first spotted the attack back in January 2020. After that, it witnessed a total of 92 attacks emanate from 11 IP addresses, with most based in Ireland and the United Kingdom at the time of analysis.
The security firm found that each attack began the same way. As quoted in its research:
The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users. By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database. A ransom note is left in a table named WARNING, demanding a ransom payment of up to 0.08 BTC.
Over the course of its analysis, Guardicore picked out two variants of the campaign. The first lasted from January to November 2020 and consisted of 63 attacks. Each of those instances involved the delivery of a ransom note including a bitcoin wallet address, an email address for technical support and a 10-day window for the victim to pay.
Those behind PLEASE_READ_ME had collected 24,906 USD as a result of this variant at the time of Guardicore’s analysis.
The second variant dispensed with email communications and a bitcoin wallet address. Instead, it directed recipients to visit a .ONION site. The site’s dashboard provided victims with the ability to submit their infection token in order to pay their ransom. It also gave visitors the ability to buy 250k different databases from 83k MySQL servers belonging to victims who didn’t pay.
That variant, which started on October 3 and lasted through November, consisted of 29 attack instances involving seven IP addresses.
News of this attack highlights the need for organizations to defend themselves against ransomware. They can do so by following these steps in order to prevent a ransomware infection from occurring in the first place.