PLEASE_READ_ME Ransomware

The PLEASE_READ_ME Ransomware is a campaign that targets weakly-protected MySQL servers and collects their databases, holding them for ransom on the threat actor's website. Unlike most ransomware attacks, these steps don't involve a threatening program that modifies or blocks the files. MySQL server admins should ignore the ransom and keep backups of their files elsewhere to prevent the PLEASE_READ_ME Ransomware attacks from succeeding at the extortion.

Not All Ransoms Come by a Trojan's Hands

While most 'ransomware' involves threats that archive or encrypt data, the same campaigns can just use non-software-based solutions for their attacks. However, the additional effort required means doing so is semi-rare. The PLEASE_READ_ME Ransomware is one of the few examples of such a strategy at work in 2020, starting in January and described as 'malwareless' initially.

The PLEASE_READ_ME Ransomware's campaign attacks MySQL servers by automated searches for targets with weak passwords. By brute-forcing the server's passwords or 'guessing' the login credentials, the attackers gain inside access, after which they establish a backdoor user account ('mysqlbackups’@’%’') for future attacks. There is no significant network traversal, and the campaign's operators appear uninterested in anything other than the immediate contents of the MySQL server's databases.

However, instead of running a file-locking Trojan for encrypting these databases, the PLEASE_READ_ME Ransomware uses a series of scripted commands for packaging the databases up and uploading them to the attacker's server. There are no files left for perusal afterward. However, victims should see a characteristic ransom note. Current versions of the instructions (as of a spike in attacks since October) direct users to a TOR website for the ransom payments and provide an ID that links to the appropriate database and payment status automatically.

Malware experts also point out that, like the NEFILIM Ransomware, the PLEASE_READ_ME Ransomware is a case of proving the growing importance of 'double-dipping' on file-ransoming threats. These attacks include the possibility of nonpayment provoking the threat actor into leaking the databases, which is not a bluff.

Turning Your Server Around from Danger

The PLEASE_READ_ME Ransomware's attacks are highly indiscriminate, besides the favoritism for MySQL databases. Servers fitting this description that are public internet-facing are, by default, at risk from the campaign's operators. Malware researchers stress the benefit of securing all account passwords with sufficiently-advanced and unique strings, particularly, which will stop most brute-force attempts in their tracks.

Unlike file-locker Trojans that require decryption or other complex retrieval methods, victims of the PLEASE_READ_ME Ransomware don't require cracking a secret code or finding a hidden key. However, there is a danger of the threat actor making any stolen database information available to the public. For restoring the data, users also have fewer options than usual: either recovering the files from a non-local backup or adding to this campaign's profits, which total at over twenty-four thousand USD in Bitcoins currently.

Victims should avoid ransoms when practical, but the PLEASE_READ_ME Ransomware's campaign is well-engineered and lacks many of the usual data-restoring weak points. Admins should implement preemptive defenses with responsible credentials whenever possible. Users also should monitor accounts for unexpected new ones, which, as in this case, can be symptoms of an attacker's presence.

The PLEASE_READ_ME Ransomware is less of a program than a sequence of events and system commands that conduct a Trojan's operations on a more hands-on basis. Whether an attack against a vulnerable server uses programming talents and dropped executable files or not, every choice of a poor password is leaning into the blow virtually.