Security experts found a new “PLEASE_READ_ME” ransomware campaign distributed from the U.K.-based IP addresses targeting unsecured MySQL servers online. According to the researchers from Guardicore, the ransomware preys on weak credentials and has exploited around 83,000 victims and 250,000 databases so far. It was also found that around five million MySQL servers are publicly accessible online.
The Modus Operandi of the PLEASE_READ_ME Ransomware
The hacking operation begins with a password brute-force attack on the MySQL databases.
Once the database is compromised, the attacker strikes a sequence of queries into the server to gather data on users.
The information in the database is encrypted and sent to the attackers’ servers via a zipped file and then deleted from the server.
On successful execution, a ransom note is left demanding payment of up to 0.08 BTC.
The adversaries threaten to sell the stolen data to the highest bidder if the ransom payment is denied.
A Malwareless Ransomware
Guardicore researchers stated that PLEASE_READ_ME is a “malwareless” ransomware operation, which is active since at least the beginning of January 2020. They also identified over 92 attacks that originated from 11 different IP addresses, mostly from Ireland and the U.K.
“The attack chain is extremely simple and exploits weak credentials on internet-facing MySQL servers. There are close to 5 million internet-facing MySQL servers worldwide. The attackers leave a backdoor user on the database for persistence, allowing them to re-access the network. Monetization of the campaign has evolved into a double extortion attempt – publishing and offering data for sale to pressure victims into paying the ransom. What drove us to closely monitor this threat is its use of double extortion, where stolen data is published and offered for sale to pressure victims into paying the ransom,” Guardicore said.