Your MySQL Servers Are Being Targeted By Ransomware

by Jan 24, 2020

There are many unscrupulous entities determined to compromise your systems with malware infections. In the early days of the IT industry, the goal of most of these hackers was to cause damage to file systems and generally disrupt an organization’s computer operations. Denial of service attacks and corrupt files were problematic, but in most cases, the affected parties could recover without incurring any longterm damage.

The forces behind modern malware often have more malicious intentions and pose significant risks to infected systems. Ransomware is a particularly virulent form of malware that attempts to extort money from its victims by denying them access to their data. Companies that are not prepared for an infection may have to part with substantial sums to regain control over their information assets.

Most ransomware attacks are conducted with similar tactics that involve tempting users into clicking on a link or opening an email attachment. Infection can quickly spread through a network and impact other systems. The rogue program then encrypts the system’s data and makes it unavailable to users. After that, it notifies the infected entity of its predicament and demands financial compensation for the privilege of regaining access to its data.

The Evolution of Ransomware

Ransomware has been gaining more notoriety in recent years but has been around for longer than you might think. The first known case of a ransomware attack was perpetrated in 1989 by an AIDS researcher who distributed infected floppy disks to other researchers across the world. It remained hidden on users’ machines until the computer was turned on 90 times. At this point, it demanded a ransom of several hundred dollars for a software lease.

The first wave of ransomware criminals usually used homegrown encryption code which could be subverted by security professionals. Today, they are more likely to be using off-the-shelf encryption tools that are essentially unbreakable. Data encrypted in this manner almost always requires a decryption key. The key is obtained by the infected enterprise when the criminals’ demands are met.

It is becoming ever more expensive to obtain these keys as the criminal enterprises behind ransomware target larger organizations that have the ability to pay. State and local governments are especially prone to these attacks, and in some cases have paid very large sums of money to get their data back. In 2019, two Florida cities paid over $500,000 in ransom to get their systems up and running again.

Failing to pay can be even more costly, as the city of Atlanta found out after being infected with the SamSam ransomware. Rather than pay the approximately $50,000 the hackers demanded, the city chose to decline their offer and recover the systems on their own. It proved to be the wrong decision, as the recovery cost the city $2.6 million. Episodes like this make many organizations lean toward paying the ransom if they are infected.

The CLOP Ransomware Variant

The specific ransomware known as CLOP is a variation of the CryptoMix malware which encrypts users’ data using the high-powered RSA and AES algorithms. It has been around in some form since 2017 and was not a particularly distinctive example of ransomware. It did its job quietly and effectively, reaping financial gain for those spreading the infection.

CLOP’s developers did not rest on their laurels and continued to pack the ransomware with more destructive capabilities. Beginning in March of 2019, it was discovered that the malicious software was now targeting enterprise software including MySQL, Microsoft Exchange, and BackupExec, among others. Researchers determined that by December the code was terminating over 660 Windows processes before encrypting the files. One theory on why this is being done is to further encrypt the configuration files behind these services.

Defending Against Ransomware

One defense against ransomware is to keep a big bag of cash in the CIO’s office for use in the event that your systems become encrypted. This is not always looked upon favorably by other management figures and can lead to unforeseen issues that will not be discussed at this time. A better option is to fully protect your systems with thorough monitoring that will alert you to problems that may be caused by unauthorized users. Their intention may be to deliver ransomware after gaining access to your servers.

MySQL system administrators can do their part with the help of the right tools. SQL Diagnostic Manager for MySQL offers over 600 built-in monitors that allow them to know exactly what is happening on their MySQL servers in real-time. Hackers may make initial intrusions into systems to ascertain prime targets before selecting specific systems on which to introduce their malware. Vigilant monitoring highlights unusual system activity so it can be addressed by system admins and the security team.

Using the tool may enable you to head off attacks before they can be fully enacted. It also provides information that can be used to streamline the performance of your MySQL databases. It’s a valuable tool for protecting and optimizing your MySQL instances in your data canter or in the cloud.