PLEASE_READ_ME Ransomware Campaign Targeting SQL Servers
Hackers have launched a new ransomware campaign known as “PLEASE_READ_ME” in an effort to target MySQL servers.
The attack starts with a password brute-force on the MySQL service. Once successful, the attacker runs a sequence of queries in the database, gathering data on existing tables and users.
By the end of execution, the victim’s data is gone – it’s archived in a zipped file which is sent to the attackers’ servers and then deleted from the database.
A ransom note is left in a table named WARNING, demanding a ransom payment of up to 0.08 BTC.
The .onion domain – hn4wg4o6s5nc7763.onion – leads to a full-fledged dashboard where victims can provide their token and make the payment. The .onion top-level domain is used to distinguish services hosted in the TOR network.
Indicators Of Compromise
IP addresses
- 145[.]239[.]255[.]222
- 167[.]114[.]145[.]131
- 176[.]111[.]173[.]38
- 176[.]111[.]173[.]64
- 185[.]234[.]216[.]247
- 185[.]234[.]216[.]38
- 185[.]234[.]218[.]239
- 185[.]234[.]218[.]42
- 193[.]169[.]252[.]34
- 195[.]182[.]158[.]247
- 37[.]187[.]127[.]10
URLs
- http://hn4wg4o6s5nc7763.onion
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.