PLEASE_READ_ME
active

This campaign, unlike many others, is not a cryptomining botnet. Here, the attackers compromise victim machines using MySQL brute force, then attempt to encrypt the database. A ransom note is left inside a table called ‘WARNING’, and says:
‘To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1NdeFcTXpXvUxvWqPP988A4Txcv3LzXmif and contact us by Email (recvr19@protonmail.com) with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.’.
At the time of writing, more than 30 Bitcoin wallet addresses have been used in the ransom notes, and their balance is 0.689 BTC, which are approximately $6250.