Over 85,000 SQL Databases for Sale on the Darknet
According to a report by ZDNet, citing an unnamed cybersecurity researcher, more than 85,000 SQL databases are being sold on the darknet at a price of around $550 each. The website facilitating these sales is part of a large-scale extortion scheme that has been active since early 2020.
Complaints about these types of database attacks have appeared on platforms such as Reddit, MySQL forums, tech support forums, Medium blogs, and private blogs. The hackers break into SQL databases, download the data, delete the originals, and leave ransom notes for the owners, demanding payment if they want their data restored.
How the Scheme Works
Initially, victims were instructed to contact the attackers via email. Over time, however, the hackers automated their process using a website that was first hosted on sqldb.to and dbrestore.to, before moving to the darknet. On this site, victims are asked to enter a unique identifier found in the ransom note, which then takes them to a page where their stolen data is offered for sale.
If victims do not pay within nine days, their data is put up for public auction in another section of the site.
Ransom Demands and Automation
The cost to recover or purchase a stolen database may vary slightly due to fluctuations in the Bitcoin-to-dollar exchange rate. Typically, the ransom is about $500 in cryptocurrency, regardless of the database content or the affected website. This has led journalists to believe that the attackers do not analyze the stolen databases and that the process is fully automated.
The Bitcoin addresses used by these groups are gradually being collected on BitcoinAbuse.com (see examples: 1, 2, 3, 4, 5, 6, 7, 8). These attacks are easy to identify, as the hackers usually include the word βWARNINGβ in their ransom notes.
Targeted Systems
Most of the compromised databases appear to be from MySQL servers, but it is possible that other systems, including PostgreSQL and MSSQL, have also been affected.