In recent times it appears that a type of MySQL ransomware has gone up for sale on the dark web. A ransomware which can be very destructive to your data if your MySQL server is not properly secured.

This type of ransomware has been around for longer, but it has recently seen a surge in occurrences, so I felt that it would be appropriate to cover it in a post now. For reference, it took a day for this honeypot to get infected.

I don't know the name of the ransomware yet, but what I do know is what it does and that you should never pay to get your data back (spoiler: it's gone).

So how does this ransomware infect your MySQL server? Basically, the script that controls the ransomware will scan the internet for improperly secured MySQL servers and will then bruteforce it's way in.

After access is gained to the MySQL server the havoc begins, and your server will look a little like this:

What basically happens is that all your tables are dropped, and the message displayed up here is inserted. For good measure they will also insert a new database with the same table.

The message is as follows: To recover your lost databases and avoid leaking it: visit <censor> and enter your unique token d33f1753fb7a8343 and pay the required amount of Bitcoin to get it back. Databases that we have: important_db. Your databases are downloaded and backed up on our servers. If we dont receive your payment in the next 9 Days, we will sell your database to the highest bidder or use them otherwise.

Now imagine that you are a company and all your data was just lost. Whoops. The message states that they have your data, do you pay? If you answered yes, well shit son you just lost your money.

To investigate the possibility of getting your data back, I left the MySQL general log on to take a peek at what it actually does. Let's take a look.

First of all, it creates the warning database and table. At this point nothing is wrong with your data yet.

And bada-bing bada-boom your data is gone and all that's left is a warning table.

So practically, your data has been erased and when you pay the attackers you will be left with a lighter wallet and no data.

Now, there is of course the possibility that there is a different variant of this ransomware out there but I deem the chance very low since these types of "virusses" are often used by what we call script kiddies.

I've already seen a few variants on this server, and the only variety I have seen so far is the name of the warning table (the XMG part).


Are you a developer? Then your local development machine may also be at risk.

Chances are that at some point you may have opened up your MySQL server for a co-worker or for any other reason. This action alone puts your machine at risk.

Please check your server configuration and ensure it only allows local connections, in addition it's a recommendable to close port 3306 in your router / modem.

While your data may not get stolen that easily, the fact that your server may be vulnerable to this ransomware also opens up the door to other nasty MySQL exploits which drop executables into your filesystem.