Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information



First seen in Guardicore Centra


Last seen in Guardicore Centra


This campaign, unlike many others, is not a cryptomining botnet. Here, the attackers compromise victim machines using MySQL brute force, then attempt to encrypt the database. A ransom note is left inside a table called ‘WARNING’, and says:
‘To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1NdeFcTXpXvUxvWqPP988A4Txcv3LzXmif and contact us by Email ( with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.’.
At the time of writing, more than 30 Bitcoin wallet addresses have been used in the ransom notes, and their balance is 0.689 BTC, which are approximately $6250.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Connect-Back Servers

Attack Flow

Breached Services



Create Mysql Table

Malicious Mysql Command

13 Sql Commands


Incident Summary

Malicious MySQL commands were executed: ALTER TABLE, CREATE DATABASE and INSERT INTO

Malicious Mysql Command

MySQL tables were created: PLEASE_READ_ME_VVV.WARNING

Create Mysql Table

Connection was closed due to user inactivity