How to Stop Bitcoin Ransomware Attacks on MySQL and Other Databases

Ransomware Attacks on Databases

Security firm GuardiCore reported that thousands of MySQL instances have been hit by Bitcoin‑demanding ransomware, continuing a series of database extortion incidents that also affected Oracle, MongoDB, ElasticSearch, Hadoop, and CouchDB over the past six months. All attacks trace back to a single IP address belonging to the Dutch hosting provider Worldstream (109.236.88.20). Attackers scan for poorly secured database servers, brute‑force credentials, delete or encrypt data, create a PLEASE_READ user and a WARNING table, and leave a ransom note demanding 0.2 BTC (≈ US$200).

MySQL Password Security Policies

Guarding MySQL against such attacks starts with strong password management:

MySQL warns when passwords are supplied on the command line; avoid this practice.

From MySQL 5.7 onward, an initial temporary root password is generated and logged, e.g.

error.log:2017-02-15T15:47:15.132874+08:001 [Note] A temporary password is generated for root@localhost: Y9srj<pdn9Lj

.

The default authentication plugin is mysql_native_password; the legacy mysql_old_password is no longer supported. Verify with: SELECT DISTINCT plugin FROM mysql.user; The default_password_lifetime variable (default 0) can be set to enforce password expiration.

MySQL 5.7 creates only a single root account with a temporary password, eliminating the default test database and reducing attack surface.

Enable SSL for client connections to prevent clear‑text credential transmission.

Password‑less Login in MySQL

MySQL 5.6 introduced mysql_config_editor for storing login credentials securely. Example configuration:

mysql_config_editor set --login-path=fastlogin \
    --user=root --host=localhost \
    --password --socket=/u02/mysql/mysqld_mst.sock

After execution, a hidden .mylogin.cnf file is created in the current directory, allowing password‑less connections via mysql --login-path=fastlogin.

General Database Security Rules

Across all database platforms, follow these basic practices:

Audit default accounts and remove any that are unnecessary.

Apply the principle of least privilege to all users.

Enable comprehensive logging and monitor logs for suspicious activity.

Encrypt sensitive data (personal identifiers, passwords, financial information) at rest and in transit.

Patch known vulnerabilities promptly.

MongoDB Security Checklist

Enable authentication (username/password).

Use role‑based access control; avoid using the root role for applications.

Secure the internal __system user in the local database.

Configure authentication for sharded clusters and replica sets appropriately.

Hadoop Security Measures

Enable Kerberos for authentication.

Close unnecessary ports; only expose required services.

ElasticSearch Hardening

Deploy authentication plugins such as Shield, elasticsearch-http-basic, or Search Guard.

Place ElasticSearch behind an Nginx reverse proxy with basic authentication.

Do not expose port 9200 to the internet for single‑node deployments.

Run version 1.7.1 or later, which has no known remote code execution vulnerabilities.

Secure related components (Logstash, Kibana) with the same authentication mechanisms.

Enforce strong passwords (minimum 16 characters, mixed case, numbers, symbols) for all services.

CouchDB Hardening

Set a complex password (≥ 16 characters) for the admin account.

Rename the default admin username.

Isolate the service from the public network; restrict access to trusted internal hosts.

Redis Security Recommendations

Bind Redis to trusted internal IPs and change the default port 6379.

Enable requirepass to enforce authentication (note: password is stored in plain text in the config file).

Rename or disable dangerous commands such as CONFIG to hinder unauthorized configuration changes.

Keep Redis updated; recent releases (e.g., 3.2.7) address CSRF and other vulnerabilities.

Deploy Redis behind a firewall, limit exposure to the internet, and regularly scan for vulnerabilities.

By implementing these password policies, authentication mechanisms, and hardening steps, database administrators can significantly reduce the risk of ransomware extortion and other attacks.