As ZDNet reported, hackers have been selling over 85,000 databases on the dark web for around $500 worth of Bitcoin for each. These are identified to be most of MySQL databases, and complaints from owners have increased throughout the year. The campaign has been around the start of 2020, with the process made automated.
Automation of Stealing and Selling Databases
A database selling campaign is reportedly active since the start of this year, where the hackers are stealing MySQL databases and leaving ransom notes to be contacted for settlement.
It’s said, while initial incidents have ransom notes left inside the servers to be contacted for customized pricing, later it was automated.
Initially, hackers have mentioned two surface-web websites (1, 2) for visiting and retaining their databases but later moved onto an onion address, which is being mentioned in their ransom notes along with assigning them a unique ID.
Visiting the specified onion address will take them to a page, where they’ll be asked to enter their unique ID to check whether any of their databases were stolen and listed. If available, they’ll be asked to pay the specified amount in a given time limit to retain it, and also to pull down from auction.
This is basically a 9-day period, and if the owner fails to pay the ransom (around $500 worth of Bitcoin for each database), hackers then set it up for sale via auction. Owners then need to be purchasing their database as any other bidder in the auction.
The defines the hackers haven’t been checking the databases manually to give them a custom price and have automated this process of stealing and selling them through their site. As ZDNet checked, most of the databases were MySQL based, and some belong to PostgreSQL and MSSQL.