Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information


First seen in Guardicore Centra       2020-01-24
Last seen in Guardicore Centra       2020-06-22
This campaign, unlike many others, is not a cryptomining botnet. Here, the attackers compromise victim machines using MySQL brute force, then attempt to encrypt the database. A ransom note is left inside a table called ‘WARNING’, and says: ‘To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1NdeFcTXpXvUxvWqPP988A4Txcv3LzXmif and contact us by Email ( with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.’. At the time of writing, more than 30 Bitcoin wallet addresses have been used in the ransom notes, and their balance is 0.689 BTC, which are approximately $6250.

IOC Repository

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Attack Flow

Breached Services



Create Mysql Table Malicious Mysql Command 13 Sql Commands MYSQL

Incident Summary

Malicious MySQL commands were executed: ALTER TABLE, CREATE DATABASE and INSERT INTO

Malicious Mysql Command

MySQL tables were created: PLEASE_READ_ME_VVV.WARNING

Create Mysql Table  

Connection was closed due to user inactivity

Coming to Black Hat? Make sure you come say hi 👋