PLEASE_READ_ME Ransomware

The PLEASE_READ_ME Ransomware is a potent threat being deployed in an ongoing threatening campaign that has been active since January 2020. The hackers use brute-force tactics to compromise MySQL servers with weak credentials. There are roughly 5 million servers that can become victims of the campaign potentially.

The PLEASE_READ_ME campaign can be separated into two distinct phases. The first one took place between January and November 2020. It carried the characteristics of a typical ransomware operation. The targeted servers were compromised, the databases were being encrypted and the threat left a ransom note with instructions. Victims were told to send a specific amount of bitcoins to a crypto wallet address provided in the note and to contact an email address also found in the note for any additional details. The criminals gave their victims ten days to perform the transaction. Tracing the detected wallets revealed that the hackers had amassed close to 1.3 Bitcoin from ransoms, which at the current exchange rate is equal to $25,000 approximately.

The second phase of the campaign introduced significant changes. Victims no longer needed to establish communication through email messages. Instead, the cybercriminals established a dedicated website hosted on the TOR network that contained an interactive dashboard. The hackers also adopted a two-pronged tactic. They compressed selected victims' data into a zip archive, exfiltrated it to their own servers and then proceeded to delete the information from the compromised databases. All stolen information will then be added to a 'repository' section on the TOR website, where it is auctioned for sale. A total of 250 000 different databases obtained from 83,000 breached servers were listed on the hackers' website successfully. The starting price of each database is 0.03 BTC.

The PLEASE_READ_ME Ransomware still dropped a ransom note during the second phase of the campaign. The instructions were contained in a table named WARNING. According to the note, affected victims have to pay the sum of 0.08 BTC if they want to get their stolen data back.

It should be noted that the threat establishes a backdoor mechanism. A new user entry - mysqlbackups’@’%', is added to the compromised database and can then be utilized as an entry point to the system at any point in the future.

The full text contained in the WARNING table is:

'INSERT INTO `WARNING` (`id,` `warning,` `website,` `token`) VALUES (1, 'To recover your lost databases and avoid leaking it: …. and enter your unique token ffc7e276a3c7ef27 and pay the required amount of Bitcoin to get it back. Databases that we have: Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise. To access this site you have use the tor browser https://www.torproject.org/projects/torbrowser.html', 'http://hn4wg4o6s5nc7763.onion', 'ffc7e276a3c7ef27');'