After the ransacking Attack.Databreach of MongoDB , ElasticSearch , Hadoop , CouchDB , and Cassandra servers , attackers are now hijacking hundreds of MySQL databases , deleting their content , and leaving a ransom note behind asking for Attack.Ransom a 0.2 Bitcoin ( $ 235 ) payment Attack.Ransom . According to breach detection firm GuardiCore , the attacks are happening via brute-force attacks on Internet-exposed MySQL servers , and there 's plenty of those laying around since MySQL is one of today 's most popular database systems . All attacks came from a server in the Netherlands Based on currently available evidence , the attacks started on February 12 , and only lasted for 30 hours , during which time attackers attempted to brute-force their way into MySQL root accounts . Investigators said all attacks came from the same IP address from the Netherlands , 109.236.88.20 , belonging to a hosting company called WorldStream . During their ransacking Attack.Databreach , attackers did n't behave in a constant pattern , making it hard to attribute the hacks to one group , despite the usage of the same IP . For example , after gaining access to MySQL servers , attackers created a new database called PLEASE_READ and left a table inside it called WARNING that contained their ransom demands Attack.Ransom . In some cases , attackers only created the WARNING table and left it inside an already existing database , without creating a new one . Investigators report that attackers would then dump the database 's content and delete it afterward , leaving only the one holding their ransom Attack.Ransom . In some cases , attackers deleted the databases without dumping any data . Attackers have their own website Two ransom notes have been found in the hundreds of confirmed attacks Attack.Ransom , one asking Attack.Ransom victims to get in contact via email and confirm the payment , while the other used a completely different mode of operation , redirecting users to a Tor-hosted website . The two Bitcoin addresses listed in the ransom notes received four and six payments Attack.Ransom , respectively , albeit GuardiCore experts doubt that all are from victims . `` We can not tell whether it was the attackers who made the transactions to make their victims feel more confident about paying Attack.Ransom , '' they said . Be sure the attacker still has your data Just like in the case of the now infamous MongoDB attacks Attack.Ransom that have hit Attack.Ransom over 41,000 servers , it 's recommended that victims check logs before deciding to pay Attack.Ransom and see if the attackers actually took their data . If companies elect to pay the ransom Attack.Ransom , should always ask the attacker for proof they still have their data . None of this would be an issue if IT teams follow standard security practices that involve using an automated server backup system and deleting the MySQL root account or at least using a strong and hard-to-brute-force password . This is not the first time MySQL servers have been held for ransom Attack.Ransom . The same thing happened in 2015 , in a series of attacks Attack.Ransom called RansomWeb Attack.Ransom , where attackers used unpatched phpBB forums to hijack databases and hold websites up for ransom Attack.Ransom .

Researchers at security vendor Check Point have warned of a ransomware attack Attack.Ransom targeting HR departments . This attack Attack.Ransom is currently targeted at German speaking companies and pretends to be Attack.Phishing a job application . Researchers say that the email comes with two attachments . A covering letter which is a standard PDF and an Excel file containing the GoldenEye variant of the Petya ransomware . According to the blog , when the user opens the Excel file : “ It contains a picture of a flower with the word “ Loading… ” underneath , and a text in German asking the victim to enable content so that the macros can run ” . Once enabled the macros begin encrypting the local user files before displaying the ransom note : “ YOUR_FILES_ARE_ENCRYPTED.TXT ” The computer is then rebooted and GoldenEye begins encrypting the entire hard disk . Eventually the user is presented with a message telling them they are infected with the GoldenEye ransomware . They are asked Attack.Ransom to download the Tor Browser and pay a ransom Attack.Ransom of at least 1.3 Bitcoin ( BTC ) . The surge in value for Bitcoin at the end of 2016 has driven the price up . As of today the price of a single Bitcoin is $ 1,148 meaning that unlocking the computer will cost the user almost $ 1,500 . Interestingly the researchers believe that the malware owner is trying to get around $ 1,000 per victim . This means that with the fluctuation in the price of BTC they will have to keep adjusting their ransom demands Attack.Ransom .