PLEASE_READ_ME Ransomware Campaign Targeting SQL Servers

Hackers have launched a new ransomware campaign known as “PLEASE_READ_ME” in an effort to target MySQL servers.

The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users.

By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database.

A ransom note is left in a table named WARNING, demanding a ransom payment of up to 0.08 BTC.

The .onion domain – hn4wg4o6s5nc7763.onion – leads to a full-fledged dashboard where victims can provide their token and make the payment. The .onion top-level domain is used to distinguish services hosted in the TOR network. 

Indicators Of Compromise

IP addresses

  • 145[.]239[.]255[.]222
  • 167[.]114[.]145[.]131
  • 176[.]111[.]173[.]38
  • 176[.]111[.]173[.]64
  • 185[.]234[.]216[.]247
  • 185[.]234[.]216[.]38
  • 185[.]234[.]218[.]239
  • 185[.]234[.]218[.]42
  • 193[.]169[.]252[.]34
  • 195[.]182[.]158[.]247
  • 37[.]187[.]127[.]10

URLs

  • http://hn4wg4o6s5nc7763.onion

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: