The site where the sale is being made is part of a major extortion scheme that has been operating since the beginning of 2020. Complaints about such attacks on the database can be found on Reddit, MySQL forums, technical support forums, Medium blogs, and private blogs. So, hackers break into SQL databases, download them, delete the originals and leave notes with a ransom demand to the owners if they want to return their data.
While the victims were initially asked to contact the attackers by email, later the hackers changed their tactics and automated their scheme using a site that was initially hosted on sqldb.to and dbrestore.to and then moved to the darknet.
On the site, victims are asked to enter a unique identifier specified in the extortionate note, after which the victim gets to the page where his data is sold.
The price for restoring or buying a stolen database can vary slightly, as the bitcoin-to-dollar exchange rate often fluctuates. As a rule, the ransom is equal to about $500 in cryptocurrency, regardless of the content of the database and the affected site. The journalists believe that attackers do not analyze hacked and stolen databases and the process is fully automated.
The Bitcoin addresses that the group uses are gradually accumulating on the site BitcoinAbuse.com. It is noted that the attacks of this group are easy to recognize because usually, hackers accompany their ransom demands with the title “WARNING”.
Apparently, most of the databases hacked by the hackers come from MySQL servers, but it cannot be ruled out that other systems, including PostgreSQL and MSSQL, could also be affected.