The popularity of the database platform has not gone unnoticed by the unscrupulous entities that engage in cybersecurity attacks with nefarious intentions. cybercriminals are always looking for new and ingenious ways to cause havoc with your IT environment. Their intrusions can take many forms, from implanting malware in an attempt to steal login credentials to randomly deleting data on your systems.

A type of cyber attack called ransomware. This is a specific form of malware whose goal is to encrypt the data on an infected server. This makes the data inaccessible to users and can cripple an organization. The criminals behind the attack claim they will unencrypt the data if their financial demands are met. Paying the ransom may or may not get your data back. Remember, you are dealing with criminals and their word is not to be trusted.


How to identify if your mysql database is hacked

recently the database which is hosted on cloud got hacked and upon investigation found the database structured has been modified and new database along with the new table and user was created by the attacker.

 crime scene pictures has been captured , hope this will help you to understand better.

  1. Scene one a new database 'warning' is got created , along with the new table 'WARNING' with the a ransom text

2. Scene Two a new user 'server'  created .

a new user called sever is present

3. Scene Three  to analyze  copied the DB files to local PC and MS window security has detected the trojan virus.  In the mysql database few .exe file are copied by hacker.

Microsoft Security Essentials tools detected trojan virus

MySQL Ransomware Attacks

MySQL databases have become a target for cybercriminals. The large installed base of the software provides many potential victims of financial blackmail. Even if only a fraction of the attacks are successful, the criminals stand to take down a lot of systems and possibly make some serious money.

Recently, MySQL servers began being hit with attacks trying to implant a ransomware weapon known as GandCrab. The perpetrators behind the ransomware have been targeting specific environments in attempts to thwart defensive actions.

Security experts at Sophos have researched the GandCrab malware and have made some interesting discoveries. For one, though the IP address of the server hosting the sample of the code under study is in Arizona, the user interface of the HFS installation is in simplified Chinese. This suggests that there may be an international cybercriminal team behind these attacks who have compromised a US server.

The security firm used a honeypot designed to lure hackers so their tools can be studied and appropriate defenses developed. They were listening on the default TCP port for MySQL servers which is 3306. The attack was executed in stages with the first step verifying that the database server in question was running MySQL.

Once that was determined, the set command was used to upload the bytes to construct a helper DLL. The DLL was used to add three malicious functions to the database. These functions were employed to download the GandCrab payload from a remote machine and place it in the root of the C: drive with the name isetup.exe and then executed the program.

At this point, your system has been infected and your files will be encrypted. Hopefully, you have a robust backup and recovery policy and can recover your system without resorting to acceding to the ransom demands.


Tricks used by Hackers and How to Prevent

Hackers are searching for MySQL logins that are not properly protected. This may be due to a weak password or in some default installation password, no password at all. Failure to protect your MySQL database may allow hackers to turn it into a launching pad for malware. Here are few suggestions for protecting your MySQL servers from ransomware:

  • Always use strong passwords.
  • Eliminate the ability to directly access your MSQL servers from the Internet.
  • Monitor your MySQL control settings.
  • Keep Backup of Database

References:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FMalex.gen!E&threatid=2147626106&enterprise=0

https://blog.monyog.com/protecting-your-mysql-servers-from-ransomware/