More than 85,000 SQL databases are currently on sale on a dark web portal for a price of only $550/database.
The portal, brought to ZDNet‘s attention earlier today by a security researcher, is part of a database ransom scheme that has been going on since the start of 2020.
Hackers have been breaking into SQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back.
While initial ransom notes asked victims to contact the attackers via email, as the operation grew throughout the year, the attackers also automated their DB ransom scheme with the help of a web portal, first hosted online at sqldb.to and dbrestore.to, and then moved an Onion address, on the dark web.
Victims who access the gang’s sites are asked to enter a unique ID, found in the the ransom note, before being presented with the page where their data is being sold.
If victims don’t pay within a nine-day period, their data is put up for auction on another section of the portal.
The price for recovering or buying a stolen SQL database must be paid in bitcoin. The actual price has varied across the year as the BTC/USD exchange rate fluctuated but has usually remained centered around a $500 figure for each site, regardless of the content they included.
This suggests that both the DB intrusions and the ransom/auction web pages are automated and that attackers don’t analyze the hacked databases for data that could contain a higher concentration of personal or financial information.
Past attacks are easy to identify as the group has usually placed their ransom demands in SQL tables titled “WARNING.” Based on complaints ZDNet has reviewed for this article, most of the databases appear to be MySQL servers; however, we don’t rule out that other SQL relational database systems like PostgreSQL and MSSQL could have been hit as well.
Signs of these ransom attacks have been piling up over the course of 2020, with the number of complaints from server owners finding the ransom note inside their databases popping up on Reddit, the MySQL forums, tech support forums, Medium posts, and private blogs.
Bitcoin addresses used for the ransom demands have also been piling up on BitcoinAbuse.com a website that indexes Bitcoin addresses used in cybercrime operations.
These attacks mark the most concerted effort to ransom SQL databases since the winter of 2017 when hackers hit MySQL servers in a series of attacks that also targeted MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB servers as well.