Researchers find cyber crooks going after MySQL databases & offering shady promises to give you your data back.


***Updated 2-27-17: MySQL said it will not comment****


Where do Facebook, Yelp and YouTube store your information? 

At least some of their massive data troves go into databases managed by a company called MySQL, according to the company site.

Now, the MySQL databases are under attack, researchers said in a post today.

Someone is hacking their way in and deleting the data, reported cybersecurity company GuardiCore.

The digital ransackers then leave a message saying they will give you your data back if you pay up, not unlike the ransom attacks on MongoDB data bases reported at the beginning of January.

But that may be a false promise.

The MySQL attackers don’t seem to actually take your data with them, researchers said, so they may have nothing to give you if you fork over the ransom.

“We couldn’t find any evidence of data exfiltration,” GuardiCore Research Leader Ofri Ziv told Archer News. “They simply left the ransom note, deleted the data and disconnected.”

One of two MySQL attack ransom notes. Image credit: GuardiCore MySQL post.


‘Extremely popular’ 

It’s not just Facebook and YouTube who use the database management company.

MySQL—pronounced “My S-Q-L”—lists big-name customers like NASA, the US Navy, WhiteHouse.Gov, Sears, MTV, LinkedIn and more.

“MySQL is an extremely popular database,” said Ziv. “There are many services we all use that are hosted on MySQL databases, since they are cheap and easy to deploy.”

The attack started February 12, lasted about 30 hours, and included hundreds of sorties, GuardiCore said in its report.

No single target emerged.

“The fact that we watched this attack targeting multiple data centers with totally different purposes led me to believe this attack isn’t targeting any specific region or company,” Ziv said.


MySQL calls itself “the world’s most popular open source database.” Photo credit: Kevin Severud via / CC BY-SA



First, the attackers crack the database password, GuardiCore reported.

Then, they create a new database with a table called “WARNING” that holds the demand message, or take an existing database and add a new table called “PLEASE_READ.”

“Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!” reads one of the messages GuardiCore found.


But the promised “dump”—your data—may be long gone.

“The attacker will then delete the databases stored on the server and disconnect, sometimes without even dumping them first,” the report said.

If the attackers delete your copy and don’t take out the data with them, then who has it? Maybe no one. That means if you pay the .2 bitcoin demand—worth about $200—you could end up with nothing.

Archer News has contacted MySQL for more information.

***Updated 2-27-17: MySQL said it will not comment****


The darknet website mentioned in one of the MySQL attack ransom notes, according to GuardiCore. Image: GuardiCore MySQL post.


Payment made

Someone is making payments. 

GuardiCore found evidence of money going in and out of the attackers’ bitcoin wallets.

“Naturally we cannot tell whether the transfer was made by the victims or by the attacker himself to make his victims feel more confident about paying,” the report noted.

Researchers tracked down the IP address of the attackers:, hosted by, an Internet service provider and web-hosting company based in the Netherlands.

GuardiCore said Worldstream was notified about the attack.


Bitcoin information shows payment made to the attackers’ wallet, according to GuardiCore. Image: GuardiCore MySQL post.



Attackers carried out similar attacks on databases at another company—MongoDB—after Christmas 2016, eventually hijacking 33,000 databases, according to SecurityWeek.

They also demanded .2 bitcoin and simply deleted databases, rather than saving the data to give back to the victim once they paid up.

Researcher Victor Gevers—who first reported the MongoDB attack and sent out warnings about the problem—said many companies were hit, including healthcare, financial services, travel and online gambling companies, SecurityWeek wrote.

MongoDB wrote a post on how you can protect yourself if you use its services.

Some cybersecurity experts predicted in January that other database services like MySQL could be next in line.


Attackers hit MongoDB databases after Christmas 2016. Photo credit: junyaogura via / CC BY


Protect yourself

You may not feel the attack on a personal level, but you probably interact with at least one of the companies that use MySQL. 

If you do get hit, Ziv has advice for you.

“Whatever you do, ask for a proof of life from the attackers and request them to show you evidence they hold your data,” he said.

If your company uses MySQL, GuardiCore offers these recommendations:

—Every MySQL server facing the internet is prone to this attack, so ensure your servers are hardened. 

—Make sure your servers require authentication and that strong passwords are being used. 

—Minimizing internet facing services, particularly those containing sensitive information is also a good practice. 

—Monitoring your internet accessible machines/services is crucial to being able to rapidly respond to any breach. 

—Periodic data back up could allow you to restore most of your valuable data without the need to interact with the attacker and provide you with a backup plan should a similar attack occur. 


Featured image: MySQL attack ransom notes. Image credit: GuardiCore MySQL post.