By 
Hackers broke into databases, snatch their content, hold it for ransom for 9 days, and then sell it to the highest bidder. If the DB owner does not want to pay the ransom demand.
For a price of just $550/database, more than 85,000 SQL databases are listed for sale on a dark web portal.
The portal, brought to the attention of a security researcher earlier today, is part of a ransom scheme for a database that has been going on since the beginning of 2020.
Hackers broke into SQL databases, downloaded tables, removed the originals, and leaving behind ransom notes, telling server owners to contact the attackers in order to get back their data.
Although initial ransom notes asked victims to contact the attackers via email, as the operation expanded over the year with the help of a web portal, first hosted online at sqldb.to and dbrestore.to, and then transferred an Onion address to the dark web, the attackers also automated their DB ransom scheme.
Victims accessing the sites of the gang are asked to enter a unique ID, found in the ransom note, before being presented with the page where their data is being sold.
If victims do not pay within a span of nine days, their data will be put up for auction on another section of the portal.
The price for recovering or buying a stolen SQL database must be paid in bitcoin. As the BTC/USD exchange rate fluctuated, the actual price varied throughout the year but usually remained centred on a $500 figure for each site, regardless of the content they included.
This indicates that both the DB intrusions and the web pages for ransom/auction are automated and that the hacked databases are not analysed by attackers for data that may contain a higher concentration of personal or financial information.
Past attacks are easy to identify as the group typically put their ransom demands in SQL tables entitled “WARNING.” Most of the databases seem to have been MySQL servers based on complaints ZDNet has reviewed for this article; however, we do not rule out that other SQL relational database systems such as PostgreSQL and MSSQL may also have been hit.
Signs of these ransom attacks have piled up over the course of 2020, with the number of reports from server owners popping up on Reddit, the MySQL forums, tech support forums, medium posts, and private blogs discovering the ransom note inside their databases.
BitcoinAbuse.com, a website that indexes Bitcoin addresses used in cybercrime activities. Bitcoin addresses used for ransom demands have also been stacking up.
These attacks mark the most concerted effort since the winter of 2017 to ransom SQL databases when hackers hit MySQL servers in a series of attacks that also targeted the servers of MongoDB, Elasticsearch, Hadoop, Cassandra, and CouchDB.
