Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information


recently active

First seen in Guardicore Centra


Last seen in Guardicore Centra


This campaign, unlike many others, is not a cryptomining botnet. Here, the attackers compromise victim machines using MySQL brute force, then attempt to encrypt the database. A ransom note is left inside a table called ‘WARNING’, and says:
‘To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1NdeFcTXpXvUxvWqPP988A4Txcv3LzXmif and contact us by Email ( with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.’.
At the time of writing, more than 30 Bitcoin wallet addresses have been used in the ransom notes, and their balance is 0.689 BTC, which are approximately $6250.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Connect-Back Servers

    Attack Flow

    Breached Services



    Create Mysql Table

    Malicious Mysql Command

    13 Sql Commands


    Incident Summary

    Malicious MySQL commands were executed: ALTER TABLE, CREATE DATABASE and INSERT INTO

    Malicious Mysql Command

    MySQL tables were created: PLEASE_READ_ME_VVV.WARNING

    Create Mysql Table

    Connection was closed due to user inactivity