Scammers are targeting website owners with blackmail messages asking them to pay ransoms between €1,500 and €3,000 in bitcoins to avoid having their sites’ databases leaked and their reputation destroyed.

As the fraudsters falsely claim, they exfiltrate the databases to attacker-controlled servers using credentials harvested after exploiting a vulnerability found within the sites’ software.

Data leak and blackhat SEO used as threats

Unless the ransom is paid, they threaten to leak or sell the “stolen” databases, as well as email the site owners’ associates and customers to destroy the sites’ reputations.

Last but not least, the scammers also try to further scare their targets into paying out the €2,000 by threatening to de-index the sites from search engines using “blackhat” SEO techniques.

The potential victims are asked by the fraudsters to pay the ransom within 5 days after receiving the ransomware notifications to avoid having their websites destroyed.

What makes this scam special is not the blackmail technique it uses but the well-written ransom note (with almost no grammar errors) it delivers to potential victims.

An excerpt of the ransom email sent by the scammers behind this campaign is embedded below.

We have hacked your website [website URL] and extracted your databases.

How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your site [website URL] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is [ransom amount] USD in bitcoins (BTC).

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

Do not pay the ransom, it’s just a scam

So far, researchers at web app security outfit WebARX who first reported this scam found multiple Bitcoin wallets being used to collect the ransom payments — victims also came out with reports on Blogger’s help site, on the WordPress support forum, and on StackOverflow.

Fortunately, almost none of the website admins and owners that were contacted by these scammers fell for their tricks, with only two wallets having received any funds since mid-April when the first reports of this scam have surfaced.

However, the fraudsters are quite active as shown by the dozens of reports their targets have submitted on the BitcoinAbuse platform for each of the wallets used in this campaign.

The most important thing you can do when receiving a similar email is to first check if it contains any proof that your website was actually hacked.

Also, always search for the Bitcoin address embedded in the blackmail email on the Bitcoin Abuse Database for reports of blackmailers or fraudsters actively using them.

Real database ransom attacks

While these blackmailers are asking for ransoms to be paid by bullying their targets without any actual proof, website can fall victim to ransom attacks after their databases get encrypted or stolen.

Just last month, hackers we reported about attackers hacking online shops’ insecure SQL servers, copying the databases, and then leaving behind ransom notes asking for ransoms to be paid in exchange for the data to be returned.

Those attacks were also a lot more successful in collecting ransoms, with a combined total of BTC 5.8 (currently worth roughly $54,500) having been sent by over 100 victims to just two of the attackers’ wallets.

Such ransom attacks were also targeting MongoDB databases between 2017 and 2019 as well as MySQL servers.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.