How Dark‑Web Ransomware Hijacks MySQL Databases and Sells Them for $550

Currently more than 85,000 MySQL databases are being sold on the dark web, each priced at about $550.

Hackers exfiltrate MySQL databases, delete the original files, and leave a ransom note that instructs the server owner to contact them to retrieve the data.

Initially the ransom note required victims to email the attackers, but as the operation grew, the attackers built an automated portal hosted on sqldb.to and dbrestore.to and accessed it via the Tor network.

Victims who visit the site enter the ID left in the ransom note and are shown a page offering their stolen data for sale.

If the victim does not pay within nine days, the data is moved to another page for auction.

All transactions for restoring or purchasing the stolen databases must be paid in Bitcoin; because of BTC/USD fluctuations, the effective price varies, but it generally stays around $500 per database.

The entire intrusion, ransom note, and auction website are fully automated, meaning attackers do not manually assess whether the stolen data contains high‑value personal or financial information—a small consolation for victim companies.

Since 2020 ransomware incidents have surged, and victims have posted ransom notes on Reddit, MySQL forums, technical support forums, Medium articles, and personal blogs.

The Bitcoin addresses used for ransom payments are continuously added to BitcoinAbuse.com. Since the winter of 2017, attacks on MySQL, MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB servers have persisted.