Attackers are rapidly exploiting exposed cloud and SaaS databases through “malware-less” techniques by abusing legitimate commands and misconfigurations.
These highly automated operations have evolved into mature double extortion campaigns, with MySQL and PostgreSQL among the most targeted platforms. The attacks leave behind ransom notes in newly created database tables or collections, and pressure victims with threats to leak or sell stolen data.
Mass Automation Drives Ransomware Scale
Ransomware operators increasingly rely on fully automated scripts and bots to scan the Internet for exposed database ports, often using search engines like Shodan to locate vulnerable PostgreSQL and MySQL servers.
Attackers brute-force weak or default credentials and, upon successful connection, swiftly export a sample of database rows or entire tables for exfiltration.
Within mere hours or sometimes minutes of exposure, bots can access and wipe databases, terminate backend processes to thwart recovery, and insert ransom notes in new tables.
For instance, researchers have observed bots from hosting providers in Europe systematically wiping publicly accessible databases, demanding payment in cryptocurrency.
The process is highly opportunistic: attackers do not select targets based on value or identity, but rather compromise any exposed server encountered in automated sweeps.
This “factory ransomware” approach is distinguished by its scale rather than precision, as demonstrated by campaigns targeting millions of open MySQL servers worldwide, some of which list over 250,000 databases for sale on underground dashboards.
Double Extortion and Data Auctions
Newer ransomware campaigns blend traditional data-denial tactics with double extortion strategies. Attackers now threaten not only the deletion of databases but also the public auction or leak of stolen data.
Websites hosted on the dark web feature “auction” dashboards that display tokens, mapping each compromised server to its corresponding dumped database, prompting distressed victims to pay a ransom for removal or restoration.
Cryptocurrency wallets and instructions are embedded in ransom notes, with payment demands ranging from several hundred to thousands of dollars in Bitcoin.
Tracking payments to these wallets reveals the profit potential that some ransom bot operations collect, with thousands of dollars being collected daily, and funds being instantly moved through new wallets to obscure attribution.
Victims who pay rarely recover their lost data, as attackers often preserve only a small data sample before issuing DELETE or DROP commands.
Double extortion tactics add psychological pressure by warning that data may be leaked to breach forums, sold to third parties, or reported to regulatory authorities.
Defense and Persistent Risks
The attack chain exploits default exposure, credential weaknesses, and cloud configuration pitfalls. Standard errors, such as using publicly accessible Docker containers with port forwarding, can inadvertently override network restrictions, leaving databases vulnerable to global access.
Attackers further increase persistence by creating backdoor user accounts on the server, enabling future compromise.
Mitigating these threats demands keeping databases off the public Internet, enforcing strong authentication and access controls, and monitoring for indicators such as unusual table or database names (e.g., README_TO_RECOVER, WARNING) and inserted ransom notes.
Backups must be routine and secured in separate environments, and regular scanning should be conducted to identify and patch misconfigurations.
Organizations must treat ransom notes as a sign of a deeper risk, as compromised databases can enable lateral movement and have a broader system impact beyond the stolen data.
In summary, “malware-less” ransomware attacks amplify risk by combining automation, data auctions, and stealthy command abuse making continuous configuration management, proactive network segmentation, and vigilant monitoring vital for defense.
Indicators of Compromise (IOCs)
- Table and document names:
README_TO_RECOVERREAD_ME_TO_RECOVERRECOVER_YOUR_DATAPLEASE_READ_MEPLEASE_READPWNED
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
