More than 85,000 SQL databases are sold on the hacker portal on the darknet for $ 550 per database. Cybercriminals use the portal as part of an increasingly popular ransomware scheme with databases, writes ZDNet.
The scheme, which began to be used in early 2020, is as follows: attackers break into the SQL database, load tables and delete the original, leaving a ransom note. The note outlines how the owner of the database can contact the ransomware and agree on the return of their data.
Initially, the attackers provided their email address, but when the scale of the operation increased significantly over time, they began to specify the addresses of the sqldb.to and dbrestore.to portal, which was then transferred to the darknet. By going to this address, the victim must enter the unique identifier specified in the ransom note, after which the page with the database for sale opens. If the victim does not pay the ransom within nine days, the data will be put up for auction in another section of the portal.
The ransom must be paid in bitcoin. Over the course of the year, the amount varied as the bitcoin rate changed, but on average it was about $ 500 per site, regardless of its content.
The processes of hacking and selling databases are automated, and cybercriminals do not analyze the contents of compromised databases.
Attacks are easily detected because attackers usually place a ransom note in SQL tables with the heading “WARNING”. While most of the compromised databases are MySQL servers, it is possible that other SQL databases such as PostgreSQL and MSSQL may have been affected as well.