Hackers are selling more than 85,000 MySQL databases on a dark web portal

Hackers break into databases, steal their content, hold it for ransom for 9 days, and then sell to the highest bidder if the DB owner doesn't want to pay the ransom demand.
Written by Catalin Cimpanu, Contributor
dark web
Image: Nicolas Picard

More than 85,000 MySQL databases are currently on sale on a dark web portal for a price of only $550/database.

The portal, brought to ZDNet's attention earlier today by a security researcher, is part of a database ransom scheme that has been going on since the start of 2020.

Hackers have been breaking into MySQL databases, downloading tables, deleting the originals, and leaving ransom notes behind, telling server owners to contact the attackers to get their data back.

While initial ransom notes asked victims to contact the attackers via email, as the operation grew throughout the year, the attackers also automated their DB ransom scheme with the help of a web portal, first hosted online at sqldb.to and dbrestore.to, and then moved an Onion address, on the dark web.

Image: ZDNet

Victims who access the gang's sites are asked to enter a unique ID, found in the the ransom note, before being presented with the page where their data is being sold.

Image: ZDNet
Image: ZDNet

If victims don't pay within a nine-day period, their data is put up for auction on another section of the portal.

Image: ZDNet
Image: ZDNet

The price for recovering or buying a stolen database must be paid in bitcoin. The actual price has varied across the year as the BTC/USD exchange rate fluctuated but has usually remained centered around a $500 figure for each site, regardless of the content they included.

This suggests that both the DB intrusions and the ransom/auction web pages are automated and that attackers don't analyze the hacked databases for data that could contain a higher concentration of personal or financial information.

Signs of these ransom attacks have been piling up over the course of 2020, with the number of complaints from server owners finding the ransom note inside their databases popping up on Reddit, the MySQL forumstech support forumsMedium posts, and private blogs.

Bitcoin addresses used for the ransom demands have also been piling up on BitcoinAbuse.com [12345678], a website that indexes Bitcoin addresses used in cybercrime operations.

These attacks mark the most concerted effort to ransom SQL databases since the winter of 2017 when hackers hit MySQL servers in a series of attacks that also targeted MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB servers as well.

Editorial standards