Varonis Threat Labs deployed managed MySQL honeypots across major cloud providers to observe attacker behavior. The publicly exposed GCP instance with weak credentials was compromised within hours by multiple automated ransomware operators who brute-forced access, exfiltrated data, dropped tables, and left ransom notes.