Hackers Exploit Legitimate Commands to Breach Databases

In recent years, adversaries have abandoned traditional malware in favor of “living-off-the-land” operations against cloud and SaaS environments.

Rather than deploying custom ransomware binaries, many threat actors now exploit misconfigured database services—leveraging only built-in commands to steal, destroy, or encrypt data.

Victims often discover their data missing or inaccessible, replaced only by ransom notes stored within the database itself. This malware-less approach has grown from isolated incidents into highly automated campaigns that prey on exposed databases worldwide.

Classic ransomware typically requires delivering a malicious payload to encrypt files on disk. By contrast, database ransomware uses normal queries—such as DROP, DELETE, or EXPORT—to render data unavailable and then holds backups hostage.

Attackers scan the Internet for open ports (MySQL on 3306, PostgreSQL on 5432, MongoDB on 27017, and others), test weak or default credentials, and upon authentication, exfiltrate data to attacker-controlled hosts.

They then wipe ...