Hundreds of MySQL databases have been hit in ransomware attacks, which were described as “an evolution of the MongoDB ransomware attacks,” according to security vendor GuardiCore. Travis Smith, Senior Security Research Engineer at Tripwire commented below.
Travis Smith, Senior Security Research Engineer at Tripwire:
“The evolution of database targeted ransomware started with MongoDB and transitioned to Elasticsearch. These two products could be installed without any authentication mechanism. When deployed to the internet with default configurations, the databases were world writable. When installing MySQL, you’re prompted for a password which protects against ransomware attacks. What these attackers are doing is guessing the root password via brute force attacks. In practice, this is a very inefficient attack vector.
The adaption from MongoDB to MySQL can be expected. Databases hold some of the most sensitive information on the internet. Because of this, the value of the data can be exponentially greater than the data traditional ransomware targets.
MySQL can provide decent security out of the box, with enhanced protections available quite easily. By issuing the mysql_secure_installation command, users can follow a walk through on hardening their installations to protect against attacks like this. A good rule of thumb is protecting the root account with a long and complex password in addition to preventing login from the internet, preferably only allowing local authentications.”