GandCrab Ransomware Infection Made by Scanning MySQL Databases

A Chinese hacking crew is currently targeting Windows servers that are running MySQL databases in order to infect those systems with the GandCrab ransomware.

This way of attack is a relatively new concept as attacking MySQL servers running on Windows systems to infect them with ransomware is something the cybersecurity firms have never witnessed in a long time.

The attacks were spotted in honeypot's logs by Andrew Brandt, Principal Researcher at Sophos. In a blog article for the Sophos website, he detailed the new scanning activity with its payload.

Brandt said hackers would scan for internet-accessible MySQL databases that would accept SQL commands, check if the underlying server would run on Windows, and then use malicious SQL commands to plant a file on the exposed servers, which they'd later execute, infecting the host with the GandCrab ransomware.

These scans turned out to be opportunistic exploitation of misconfigured or passwordless databases for the threat actors.

According to Brandt, the hackers appeared to have been quite prodigious, while not entirely clear if they were successful.

These attacks are tracked back to a remote server, which had an open directory running server software called HFS, which exposed download stats for the attacker's malicious payloads.