Posted on December 10, 2020 at 6:37 PM
Bitcoin ransom attacks have grown considerably since the rise of the cryptocurrency market this year. Attackers are now using a wide range of tools and hacking methods to compromise servers and steal files. The majority of the hackers sell them off on the darknet when ransom negotiations with the victims don’t go well.
A recent report revealed that hackers were able to successfully dislodge security systems to steal over 85,000 SQL databases to sell on the dark web portal.
There have been several victims of ransomware attacks this year. And with the expected use of more technology each year, the hackers may not stop anytime soon.
According to the report, hackers put up the 85,000 SQL databases for sale on the darknet for a reported price of only $550 pr database.
Hackers Now Using Addresses On The Dark Net
In most cases after a ransomware attack, the threat actor usually leaves a ransom note requesting the victim to contact them via email. However, the threat actors have changed their communication medium from emails to the web portal.
One of such web portals was allegedly hosted on the sqibd.to website before the dbrestore.to website. However, the hackers have moved their communication medium to an address located on the darknet.
When the victims access the hacking group’s website, they are requested to use the ID left on the ransom note before accessing the ransom demand page. Unsurprisingly, the ransomware gang usually asks the victims to pay the ransom in Bitcoin.
The payment in Bitcoin means that the hackers have varied the price of their ransom price throughout the year as Bitcoin changes price regularly.
From the given information, it seems that both the ransom/auction web pages and the DB intrusions are automated. It means that the ransomware group didn’t analyze the stolen data to place a price on each of the databases according to their level of importance.
Some of the stolen data contain financial information wheil other contain personal information. However, the hackers lumped everything together without any distinction between them.
In the past, it was easier to identify attackers because the hacking groups usually place their ransom demands in the SQL tables with the caption “WARNING.”
Hackers have been busy breaking into some SQL databases to download tables, delete the originals, and place ransom notes for the victims to contact them. It’s not clear how many of the victims accepted to pay the ransom to get their database back. But with the recent sale of the massive number of databases on the darknet, it seems ransom negotiations with many victims didn’t go well.
Ransomware Attacks Have Increased
Several victims of ransomware attacks have complained and admitted to receiving ransom notes hidden in their databases. Those who don’t comply with the ransom demands usually get their stolen database exposed on the dark web.
From the complaints received from the victims, most of the hacked databases seem to come from MySQL servers. But there could be other SQL-based databases like MSSQL and PostgreSQL included in the attack as well.
The numbers of Bitcoin addresses used for collecting ransom payments by cybercriminals have also been increasing on the Bitcoin address index site BitcoinAbuse.com.
The Most Notorious MYSQL Attack Since 2017
According to Bleeping Computer, the group of hackers responsible for these hacks used the most sophisticated efforts and tools to steal from their victims, and this level has not occurred since 2017.
In 2017, threat actors dislodged MySQL servers in a series of attacks that also targeted CouchDB servers, Cassandra, Hadoop, Elasticsearch, as well as MongoDB servers.
The recent attack has been described as the most notorious since the 2017 attack. And the use of Bitcoin as the ransom payment method has helped to keep the hackers hidden, as the decentralized payment system doesn’t offer the opportunity to trade wallet users.