In 2020, around 250,000 MySQL database servers were attacked in a very large scale ransomware attack.

The victims were threatened into paying a ransom or else see their confidential documents revealed to the public.

The campaign has been known as “Please_Read_Me,”

Two variants of this attack were seen in 2020. The first was the standard encrypt the files and then demand payment in Bitcoin payment for the decryption key and the second included the use ‘leak’ web sites to publish documents until the ransom is paid.

How This Happens

How This Happens

MySQL is a database management system.

The attack starts by finding those databases with Internet access and tries every password in the dictionary and all common passwords to see if it can login successfully.

If successful, then the attack runs a series of database queries to determine the contents, then zips the data and sends it to the scammer. It then renders the user’s database unusable by deleting all data.

Ransom notes are then left on the user computers and they must pay in Bitcoin to regain access to their data.

Read the full Guardicore Labs write-up for more details at www.guardicore.com/labs/please-read-me-opportunistic-ransomware-devastating-mysql-servers/

If you have any experiences with these scams do let me know, by email.