Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

PLEASE_READ_ME_VVV
inactive

First seen in Guardicore Centra

2020-01-24

Last seen in Guardicore Centra

2020-06-22

This campaign, unlike many others, is not a cryptomining botnet. Here, the attackers compromise victim machines using MySQL brute force, then attempt to encrypt the database. A ransom note is left inside a table called ‘WARNING’, and says:
‘To recover your lost Database and avoid leaking it: Send us 0.06 Bitcoin (BTC) to our Bitcoin address 1NdeFcTXpXvUxvWqPP988A4Txcv3LzXmif and contact us by Email (recvr19@protonmail.com) with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. If we dont receive your payment in the next 10 Days, we will make your database public or use them otherwise.’.
At the time of writing, more than 30 Bitcoin wallet addresses have been used in the ransom notes, and their balance is 0.689 BTC, which are approximately $6250.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Connect-Back Servers

    Attack Flow

    Breached Services

    MYSQL

    Tags

    Create Mysql Table

    Malicious Mysql Command

    13 Sql Commands

    MYSQL

    Incident Summary

    Malicious MySQL commands were executed: ALTER TABLE, CREATE DATABASE and INSERT INTO

    Malicious Mysql Command

    MySQL tables were created: PLEASE_READ_ME_VVV.WARNING

    Create Mysql Table

    Connection was closed due to user inactivity