After the ransacking Attack.Databreach of MongoDB , ElasticSearch , Hadoop , CouchDB , and Cassandra servers , attackers are now hijacking hundreds of MySQL databases , deleting their content , and leaving a ransom note behind asking for Attack.Ransom a 0.2 Bitcoin ( $ 235 ) payment Attack.Ransom . According to breach detection firm GuardiCore , the attacks are happening via brute-force attacks on Internet-exposed MySQL servers , and there 's plenty of those laying around since MySQL is one of today 's most popular database systems . All attacks came from a server in the Netherlands Based on currently available evidence , the attacks started on February 12 , and only lasted for 30 hours , during which time attackers attempted to brute-force their way into MySQL root accounts . Investigators said all attacks came from the same IP address from the Netherlands , 109.236.88.20 , belonging to a hosting company called WorldStream . During their ransacking Attack.Databreach , attackers did n't behave in a constant pattern , making it hard to attribute the hacks to one group , despite the usage of the same IP . For example , after gaining access to MySQL servers , attackers created a new database called PLEASE_READ and left a table inside it called WARNING that contained their ransom demands Attack.Ransom . In some cases , attackers only created the WARNING table and left it inside an already existing database , without creating a new one . Investigators report that attackers would then dump the database 's content and delete it afterward , leaving only the one holding their ransom Attack.Ransom . In some cases , attackers deleted the databases without dumping any data . Attackers have their own website Two ransom notes have been found in the hundreds of confirmed attacks Attack.Ransom , one asking Attack.Ransom victims to get in contact via email and confirm the payment , while the other used a completely different mode of operation , redirecting users to a Tor-hosted website . The two Bitcoin addresses listed in the ransom notes received four and six payments Attack.Ransom , respectively , albeit GuardiCore experts doubt that all are from victims . `` We can not tell whether it was the attackers who made the transactions to make their victims feel more confident about paying Attack.Ransom , '' they said . Be sure the attacker still has your data Just like in the case of the now infamous MongoDB attacks Attack.Ransom that have hit Attack.Ransom over 41,000 servers , it 's recommended that victims check logs before deciding to pay Attack.Ransom and see if the attackers actually took their data . If companies elect to pay the ransom Attack.Ransom , should always ask the attacker for proof they still have their data . None of this would be an issue if IT teams follow standard security practices that involve using an automated server backup system and deleting the MySQL root account or at least using a strong and hard-to-brute-force password . This is not the first time MySQL servers have been held for ransom Attack.Ransom . The same thing happened in 2015 , in a series of attacks Attack.Ransom called RansomWeb Attack.Ransom , where attackers used unpatched phpBB forums to hijack databases and hold websites up for ransom Attack.Ransom .

Researchers are now observing similar destructive attacks hitting openly accessible Hadoop and CouchDB deployments . Security researchers Victor Gevers and Niall Merrigan , who monitored the MongoDB and Elasticsearch attacks so far , have also started keeping track of the new Hadoop and CouchDB victims . The two have put together spreadsheets on Google Docs where they document the different attack signatures and messages left behind after data gets wiped from databases . In the case of Hadoop , a framework used for distributed storage and processing of large data sets , the attacks observed so far can be described as vandalism . That 's because the attackers do n't ask for payments Attack.Ransom to be made in exchange for returning the deleted data . Instead , their message instructs the Hadoop administrators to secure their deployments in the future . According to Merrigan 's latest count , 126 Hadoop instances have been wiped so far . The number of victims is likely to increase because there are thousands of Hadoop deployments accessible from the internet -- although it 's hard to say how many are vulnerable . The attacks against MongoDB and Elasticsearch followed a similar pattern . The number of MongoDB victims jumped from hundreds to thousands in a matter of hours and to tens of thousands within a week . The latest count puts the number of wiped MongoDB databases at more than 34,000 and that of deleted Elasticsearch clusters at more than 4,600 . A group called Kraken0 , responsible for most of the ransomware attacks against databases , is trying to sell its attack toolkit and a list of vulnerable MongoDB and Elasticsearch installations for the equivalent of US $ 500 in bitcoins . The number of wiped CouchDB databases is also growing rapidly , reaching more than 400 so far . CouchDB is a NoSQL-style database platform similar to MongoDB . Unlike the Hadoop vandalism , the CouchDB attacks Attack.Ransom are accompanied by ransom messages , with attackers asking for Attack.Ransom 0.1 bitcoins ( around $ 100 ) to return the data . Victims are advised against paying Attack.Ransom because , in many of the MongoDB attacks Attack.Ransom , there was no evidence that attackers had actually copied Attack.Databreach the data before deleting it . Researchers from Fidelis Cybersecurity have also observed the Hadoop attacks and have published a blog post with more details and recommendations on securing such deployments

The extortion attempt Attack.Ransom took place on January 11 , the first day some Lloyds Bank customers experienced short-lived problems with accessing their online banking portals . Customers continued to report brief outages in the following two days . On the third day , on Friday , January 13 , Bleeping Computer received two separate tips , via email and Twitter , from two hackers that appeared to know each other . Hacker # 1 sent Bleeping Computer a link to a PasteBin page that contained a copy of an email the group allegedly sent to a high-ranking Lloyds Bank manager . The email , pictured below , contained a ransom demand Attack.Ransom disguised as a `` consultancy fee '' the group was asking Attack.Ransom to reveal Vulnerability-related.DiscoverVulnerability `` security issues '' that affected Vulnerability-related.DiscoverVulnerability Lloyd Bank 's online banking portals . The hackers were asking for Attack.Ransom 100 Bitcoin ( £75,000 / $ 94,000 ) . `` Once paid , the services will be back online , you will get a list of flaws related to both services , along with our disappearance , '' the email reads . A second hacker reached out via Twitter a few hours later and was surprised to find out that his colleague already shared the PasteBin link , confirming they knew each other . Hacker # 2 proceeded to provide a demo that allegedly showed they were behind the Lloyds Bank outages . The demo was specific with how hackers demonstrate they are behind DDoS attacks . Hacker # 2 asked your reporter and other journalists to access Lloyds Bank online portals before his attack , to prove the service was running , and during his attack , to show that he was the one causing the issues .

KillDisk was one of the components associated with the Black Energy malware that a group of attackers used in December 2015 to hit several Ukrainian power stations , cutting power for thousands of people . A month before that , it was used against a major news agency in Ukraine . Since then , KillDisk has been used in other attacks , most recently against several targets from the shipping sector , according to security researchers from antivirus vendor ESET . However , the latest versions have evolved and now act like ransomware . Instead of wiping the data from the disk , the malware encrypts it and displays a message asking for Attack.Ransom 222 bitcoins to restore them . That 's the equivalent of $ 216,000 , an unusually large sum of money for a ransomware attack Attack.Ransom . What 's even more interesting is that there 's also a Linux variant of KillDisk that can infect both desktop and server systems , the ESET researchers said Thursday in blog post . The encryption routine and algorithms are different between the Windows and the Linux versions , and on Linux , there 's another catch : The encryption keys are neither saved locally nor sent to a command-and-control server , and the attackers ca n't actually get to them . `` The cyber criminals behind this KillDisk variant can not supply their victims with the decryption keys to recover their files , despite those victims paying Attack.Ransom the extremely large sum demanded Attack.Ransom by this ransomware , '' the ESET researchers said . The good news is that there 's a weakness in the encryption mechanism for the Linux version that makes it possible -- though difficult -- for the victim to recover the files . It 's not clear why the KillDisk creators have added this encryption feature . It could be that they 're achieving the same goal as in the past -- destruction of data -- but with the ransomware tactic there 's also a small chance that they 'll walk away with a large sum of money