Inside the Dark Web: How MySQL Databases Are Ransomed for $500

Currently, over 85,000 MySQL databases are being sold on the dark web, each for about $550.

Hackers continuously steal MySQL databases, download tables, delete the original files, and leave ransom notes instructing server owners to contact them to retrieve their data.

Initially, ransom notes asked victims to email the attackers, but as the operation scaled, the process was automated through a portal hosted on sqldb.to and dbrestore.to, accessed via the dark‑web onion network.

Victims visit the site, enter the ID left in the ransom note, and are shown a page displaying their data for sale.

If victims do not pay within nine days, their data is moved to another page for auction.

Recovery or purchase of the stolen database must be paid in Bitcoin; although the price fluctuates with the BTC/USD rate, it generally stays around $500 per database.

The entire intrusion and ransom/auction pages are fully automated, meaning attackers do not analyze whether the stolen data contains high‑value personal or financial information—a small silver lining for victim organizations.

In 2020, ransomware incidents continued to accumulate, and victims posted ransom notes on Reddit, MySQL forums, technical support forums, Medium posts, and personal blogs.

Bitcoin addresses used for ransom payments are increasingly listed on BitcoinAbuse.com. Since the winter of 2017, attacks on MySQL, MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB servers have persisted.

Source: Security Circle