85k SQL databases for sale at $550 USD for each in hacker forums

Information security specialists report that more than 85,000 SQL databases have been put up for sale on a dark web forum in exchange for $550 USD each. Apparently this illegal portal is part of a complex scheme of theft and sale of confidential information compromised as a product of other incidents.

Databases have become one of the main targets of malicious hackers, who have devised methods to easily compromise these resources in order to threaten owners with deleting all information if their demands are not met.

Although initial ransom notes mentioned that victims should contact criminals via email, eventually the operators of this malicious scheme automated their operations and created a dark web portal to conduct their negotiations with the victims.

La imagen tiene un atributo ALT vacío; su nombre de archivo es database1012202001.jpg

In the following screenshot we can see how before accessing the website victims are asked to enter a unique identifier found in the ransom note.

La imagen tiene un atributo ALT vacío; su nombre de archivo es database1012202002.jpg

If victims do not pay the ransom within nine days after the incident, their data is auctioned in another section of the portal.

La imagen tiene un atributo ALT vacío; su nombre de archivo es database1012202003.jpg

All payments on the platform must be made via Bitcoin transfers. Converted to dollars, this price is around $500 USD.

After analyzing the website, specialists concluded that their processes are fully automated, so threat actors do not perform further analysis of compromised databases looking for useful information. The cybersecurity community has fully identified all incidents linked to this hacking group, as they are used to put their claims in SQL tables titled “WARNING”.

Apparently most compromised databases belong to MySQL servers; although experts do not rule out that other database systems (such as PostrgeSQL or MSSQL) may have been compromised.

On the other hand, samples of these attacks have been detected throughout 2020, with ransom notes appearing on Reddit forums, MySQL, support platforms and all kinds of personal and business blogs.