Ransomware attack on MySql Database

MySql is one of the most used and popular database System around the world and is most trusted in terms of security and reliability. But, unfortunately it is now not safe enough because the reports of hijacking MySql databases are coming. According to security breach detection team namely GuadiCore, the internet exposed MySql servers are attacked through brute-force and they are more than hundreds in numbers. They use simple ransomware attack technique that is to attack the server, encrypt or delete the files and then ask the victim to pay 0.2 Bitcoin which is equivalent to $235.

Interestingly, most of these attacks are coming from server situated in Netherland. The attack first started on 12 Feb which lasted for 30 hours. The attackers tried to make their way in MySql root accounts. The IP address of the attacker is 109.236.88.20 which is hosted by a company name as “WorldSteam”. Though there is one IP active in the attack but there is surety that only group is involved in the hacking.

How Does MySql Database attack working

Once the hackers managed to take its control over the targeted MySql, they crates a new database named as PLEASE_READ and stores a table that is named as “WARNING” and this is actually the ransom note. Investigators suggest that the data could be dumped before deleting the database or they can directly delete the database without dumping data. Out of the many such ransom attacks, two ransom note has been detected. They both are entirely opposite in their functionality. One asked to contact through emails for payment instruction while the other asked to visit their own Tor-hosted website.

Reportedly, two transactions has already been noticed for getting the decryption key but there is no confirmation that the transaction was made by the victim or it is made the by hacker themselves in order to boost the confidence of the victim that they will get their data back once the money is paid.

What to do on MySql Database Attack?

It is very important for victim check logs to confirm whether the attackers really cheated their data or not. In case if you decide to pay the ransom money, ask for the proof from cyber-criminals that they still have their data. It will best situation if you have the automatic server backup system. This is not the first time of MySQl server attack through ransomware so be attentive and use a strong and hard-to-crack password.