According to ZDNet, most of the victims lost the contents of MySQL databases. However, there is a possibility that the attackers also tried to attack the databases on PostgreSQL and MSSQL.

Reports of attacks accumulated on various resources — Reddit, MySQL forums, technical support forums, in posts on Medium and even in private blogs throughout 2020. Bitcoin wallet addresses to which funds were offered to be transferred are regularly listed as criminal on the site BitcoinAbuse.com .

“Most likely, the campaign was carried out in the “grab and run” mode, that is, the criminals simply sought to grab as much as possible and for the minimum period, in the hope that at least someone would pay,” says Alexey Vodiasov, shadow director of SEC Consult Services.

This is indicated by the number of stolen databases

You can’t collect so much manually, therefore, the attacks were carried out automatically, that is, a bot was working, which, using known vulnerabilities, hacked the databases, then displayed and deleted their contents. The number of real victims may be even greater: most likely, only those bases for which the owners decided not to pay are put up for sale.”