Hackers are scanning for MySQL servers to deploy GandCrab ransomware
Sophos researchers have discovered a new ransomware campaign targeting Internet-facing MySQL servers running on Windows systems. Threat actors are actively scanning the web for MySQL databases running on Windows platforms. When they discover a MySQL server, they first verify that it is running on Windows and then try to infect it with data-encrypting GandCrab ransomware by feeding it malicious SQL commands. This is possible only if the server is not protected by a password or otherwise misconfigured.
The study indicates that the attackers are of Chinese origin, since the campaign relies on a remote server with an interface in simplified Chinese. While threat actors often target poorly secured servers in order to steal information or infiltrate an organization’s network, they rarely choose to infect such servers with ransomware.