After the ransacking Attack.Databreach of MongoDB , ElasticSearch , Hadoop , CouchDB , and Cassandra servers , attackers are now hijacking hundreds of MySQL databases , deleting their content , and leaving a ransom note behind asking for Attack.Ransom a 0.2 Bitcoin ( $ 235 ) payment Attack.Ransom . According to breach detection firm GuardiCore , the attacks are happening via brute-force attacks on Internet-exposed MySQL servers , and there 's plenty of those laying around since MySQL is one of today 's most popular database systems . All attacks came from a server in the Netherlands Based on currently available evidence , the attacks started on February 12 , and only lasted for 30 hours , during which time attackers attempted to brute-force their way into MySQL root accounts . Investigators said all attacks came from the same IP address from the Netherlands , 109.236.88.20 , belonging to a hosting company called WorldStream . During their ransacking Attack.Databreach , attackers did n't behave in a constant pattern , making it hard to attribute the hacks to one group , despite the usage of the same IP . For example , after gaining access to MySQL servers , attackers created a new database called PLEASE_READ and left a table inside it called WARNING that contained their ransom demands Attack.Ransom . In some cases , attackers only created the WARNING table and left it inside an already existing database , without creating a new one . Investigators report that attackers would then dump the database 's content and delete it afterward , leaving only the one holding their ransom Attack.Ransom . In some cases , attackers deleted the databases without dumping any data . Attackers have their own website Two ransom notes have been found in the hundreds of confirmed attacks Attack.Ransom , one asking Attack.Ransom victims to get in contact via email and confirm the payment , while the other used a completely different mode of operation , redirecting users to a Tor-hosted website . The two Bitcoin addresses listed in the ransom notes received four and six payments Attack.Ransom , respectively , albeit GuardiCore experts doubt that all are from victims . `` We can not tell whether it was the attackers who made the transactions to make their victims feel more confident about paying Attack.Ransom , '' they said . Be sure the attacker still has your data Just like in the case of the now infamous MongoDB attacks Attack.Ransom that have hit Attack.Ransom over 41,000 servers , it 's recommended that victims check logs before deciding to pay Attack.Ransom and see if the attackers actually took their data . If companies elect to pay the ransom Attack.Ransom , should always ask the attacker for proof they still have their data . None of this would be an issue if IT teams follow standard security practices that involve using an automated server backup system and deleting the MySQL root account or at least using a strong and hard-to-brute-force password . This is not the first time MySQL servers have been held for ransom Attack.Ransom . The same thing happened in 2015 , in a series of attacks Attack.Ransom called RansomWeb Attack.Ransom , where attackers used unpatched phpBB forums to hijack databases and hold websites up for ransom Attack.Ransom .

Ransomware authors are profiting from the rise of the cryptocurrency -- but it 's also bringing some unexpected problems for them and other dark web operators . The value of bitcoin has soared in recent days : at the one point the cryptocurrency was worth almost $ 19,000 before it dropped back to around $ 16,500 , where it has roughly remained since . It 's almost impossible to predict what will happen next . The price of bitcoin could rise again or it could crash -- but , for now at least , a single unit of the cryptocurrency is worth a significant amount of money . Bitcoin has become the popular payment method for ransomware over the last two years , as the digital currency provides cybercriminals with a means of collecting ransoms Attack.Ransom , while also making it difficult to get the ransom-collectors ' identities , thanks to the level of anonymity it offers . WannaCry Attack.Ransom , the biggest ransomware event of the year , for example , hit Attack.Ransom hundreds of thousands of PCs around the globe , encrypting files and demanding a payment Attack.Ransom of $ 300 in bitcoin for the safe return of what was stored on the machine . In this instance , the ransomware code itself was poorly written and the vast majority of victims were able to restore their systems without giving into the demands Attack.Ransom of the cyber-attackers . However , by the time those behind WannaCry Attack.Ransom had withdrawn funds from the associated Bitcoin wallets -- a full three months after the attack -- it meant the 338 payments Attack.Ransom victims had made were worth around $ 140,000 , which was an increase in value of just under $ 50,000 compared to when the majority of payments were made Attack.Ransom . If those behind WannaCry Attack.Ransom have held onto their illicit investment , they could now be sitting on over $ 1m of bitcoin . But the sudden spike in bitcoin could actually be problematic for some cybercriminals . Before the surge in value , 1 or 0.5 bitcoin was a common ransom demand Attack.Ransom , with the idea that if the fee was low enough -- back then the ransom value worked out at a few hundred dollars -- this would encourage the victim to pay up Attack.Ransom . Even as the value of bitcoin steadily rose during the summer , some attackers were still using the standard amounts of cryptocurrency as their ransom demand Attack.Ransom . For example , Magniber ransomware demanded a payment Attack.Ransom of 0.2 bitcoin ( $ 1,138 in mid-October ) , rising to 0.4 bitcoin ( $ 2,275 in mid-October ) if the payment wasn't received Attack.Ransom within five days . Two months later , 0.2 bitcoin is currently worth $ 3,312 while 0.4 bitcoin is up to $ 6,625 . Many forms of ransomware already ask for the payment Attack.Ransom of a specified amount of dollars to be made in bitcoin . While it pins hopes on victims being able to buy a specific amount of bitcoin and successfully transfer the payment -- which some criminal gangs get around by manning help desks providing advice on buying cryptocurrency -- it 's more likely to result in the victim paying up Attack.Ransom , especially if the figure is just a few hundred dollars . `` I imagine the volatility of bitcoin pricing has been an unexpected problem for cybercriminals . The average ransom demand Attack.Ransom has remained somewhere between $ 300 to $ 1000 , and normally the ransom note will specify a USD amount , '' Andy Norton , director of threat intelligence at Lastline , told ZDNet . It is n't just ransomware distributors who might be faced with the problem of valuing items in pure bitcoin : a Dark Web vendor -- whether they are selling malware , weapons , drugs , or any other illegal item -- might find that setting their price in pure bitcoin will quickly result in them pricing themselves out of the market . With bitcoin prices continuing to rise , sophisticated cybercriminal operators can likely react to it , altering prices on a day-to-day basis to ensure that they 're able to sustain their business . Criminals are trying out alternative pricing models for ransomware already . Some criminals already operate around the idea that they charge Attack.Ransom victims just enough so that they do n't see the ransom Attack.Ransom as too much to pay Attack.Ransom -- and that often depends on the country the victims are in . The Fatboy ransomware payment scheme charges Attack.Ransom victims in poorer countries less than those in richer ones . Meanwhile , those behind Scarab ransomware have started asking Attack.Ransom victims to suggest a payment amount Attack.Ransom for receiving the encryption key for their files .

The average amount of a ransomware demand Attack.Ransom has increased from $ 294 in 2015 to $ 1,077 last year , according to a report released last week by Symantec . `` That 's a pretty dramatic increase , '' said Kevin Haley , director of security response at Symantec . `` The bad guys can get almost anything they ask for , '' Haley said . Some cybercriminals also adjust the size of the ransom demand Attack.Ransom to the type of victim , asking Attack.Ransom enterprises for significantly larger amounts of money than they do of consumers . The company also surveyed ransomware victims , and found that 34 percent of people paid the ransom Attack.Ransom globally . But in the U.S. , the number was 64 percent . All this money coming in is bad news for cybersecurity professionals . `` We 're seeing a lot more people investing in this business , because it 's highly profitable and it 's really easy to get into , '' he said . `` The end result is more malware , and more ransomware . The problem will continue getting worse . '' The Internet of Things was also a major topic in the report . Symantec operates an IoT honeypot , and the number of attacks nearly doubled over the course of 2016 . The intensity of attacks really surprised him , Haley said . During peak activity , attacks would come in every two minutes . That means that vulnerable devices would get infected almost as soon as they are connected to the internet , he said . `` If you plug it in , and decide to take care of security later , you 're already too late . '' There 's no grace period . `` But if the device is not using a default password , is patched , and is up to date , it can fight off most of those attacks , '' he said . `` Unfortunately , we know that there are a lot of devices out there with default passwords , or simple passwords , or have n't been patched . '' The 77-page report also covered a wide variety of other security-related topics . One in 131 emails contained a malicious link or attachment , the highest rate in five years .

The extortion attempt Attack.Ransom took place on January 11 , the first day some Lloyds Bank customers experienced short-lived problems with accessing their online banking portals . Customers continued to report brief outages in the following two days . On the third day , on Friday , January 13 , Bleeping Computer received two separate tips , via email and Twitter , from two hackers that appeared to know each other . Hacker # 1 sent Bleeping Computer a link to a PasteBin page that contained a copy of an email the group allegedly sent to a high-ranking Lloyds Bank manager . The email , pictured below , contained a ransom demand Attack.Ransom disguised as a `` consultancy fee '' the group was asking Attack.Ransom to reveal Vulnerability-related.DiscoverVulnerability `` security issues '' that affected Vulnerability-related.DiscoverVulnerability Lloyd Bank 's online banking portals . The hackers were asking for Attack.Ransom 100 Bitcoin ( £75,000 / $ 94,000 ) . `` Once paid , the services will be back online , you will get a list of flaws related to both services , along with our disappearance , '' the email reads . A second hacker reached out via Twitter a few hours later and was surprised to find out that his colleague already shared the PasteBin link , confirming they knew each other . Hacker # 2 proceeded to provide a demo that allegedly showed they were behind the Lloyds Bank outages . The demo was specific with how hackers demonstrate they are behind DDoS attacks . Hacker # 2 asked your reporter and other journalists to access Lloyds Bank online portals before his attack , to prove the service was running , and during his attack , to show that he was the one causing the issues .

This Monday , Bleeping Computer broke the news that a hacker/group identified as Harak1r1 was taking over MongoDB databases left connected to the Internet without a password on the admin account . The group was exporting Attack.Databreach the database 's content and replacing all tables with one named WARNING , that contained a ransom note , asking Attack.Ransom the owners of the hacked database to pay Attack.Ransom 0.2 Bitcoin ( ~ $ 200 ) into Bitcoin wallet . At the time of our article , Harak1r1 had hijacked just over 1,800 MongoDB databases , and 11 victims have paid the ransom Attack.Ransom in order to recover their files . As time went by , Harak1r1 hijacked more databases , reaching at one point over 3,500 MongoDB instances , and currently peaking at over 8,500 . Among them , the hacker ( s ) had even managed to make a high-profile victim , in Emory Healthcare , a US-based healthcare organization . According to the MacKeeper Security Research Team , Harak1r1 had ransacked Attack.Databreach and blocked Emory 's access to more than 200,000 medical records . Attacks from harak1r1 went on for two more days , but as worldwide infosec media started covering the topic , two copycats appeared and started doing the same . The second group goes by the name of 0wn3d , and they work by replacing the hijacked database tables with a table named WARNING_ALERT . According to Victor Gevers , the researcher who initially discovered the first hacked MongoDBs around Christmas , this second group has hijacked just over 930 databases . Unlike Harak1r1 , this second group is a little bit more greedy and asks for Attack.Ransom 0.5 Bitcoin , which is around $ 500 , but this has n't stopped companies from paying Attack.Ransom , with 0wn3d 's Bitcoin wallet showing that at least three victims had paid Attack.Ransom his ransom demands Attack.Ransom . A day later , the same Gevers came across a third actor , using the name 0704341626asdf , which appears to have hit over 740 MongoDB servers . This hacker/group is asking for Attack.Ransom 0.15 Bitcoin ( ~ $ 150 ) , and he 's using a lengthier ransom note , in which he admonishes victims for leaving their DB open over the Internet . Furthermore , this threat actor appears to be more strict with victims and gives database owners 72 hours to pay the ransom Attack.Ransom . According to Gerves , the lines that allowed him to track the activity of these three groups is slowly blurring , as these groups started using more varied messages and different Bitcoin addresses . Additionally , in newer variations of these attacks , the hackers do n't appear to bother copying the hacked database . In recent attacks Attack.Ransom , Gevers says that crooks just delete the DB 's content , ask for a ransom Attack.Ransom regardless , and hope nobody checks the logs and discovers what they 've done . There is no evidence that they actual copied your database . According to Gevers , these groups are now fighting over the same turf , with many of them rewriting each other 's ransom notes . This leads to cases where database owners pay the ransom Attack.Ransom to the wrong group , who ca n't give their content back . `` It 's catching on and it looks more players are coming to the game .