MySQL databases targeted for installing GandCrab on Windows servers

Hackers deploy GandCrab ransomware with the help of malicious SQL commands

Hackers search for vulnerable MySQL databases to load GandCrab ransomware on Windows servers.

Security experts uncovered a unique set of attacks that employ Windows machines running the open-source management system MySQL to infect them with GandCrab ransomware. A search on the internet for vulnerable Windows servers using MySQL is initiated by at least one Chinese hacker group.^[1] These cyber attacks are relatively new and never-before-seen by security researchers, as none of the other hacking groups yet utilized MySQL previously to this incident.

First, attackers use SQL database commands to upload DLL helper to the server and then execute the DLL file to implant the ransomware payload on the system. GandCrab ransomware^[2] is one of the most prolific cyber threats and is known to attack not only regular user systems but also those of businesses and organizations worldwide.^[3]

The Sophos researchers' discovery revealed that suspicious behavior and network traffic was spotted from the machine based in the United States, and the IP address of the database where ransomware script comes from – in Canada.^[4] Andrew Brandt, Principal Researcher at Sophos discovered these unique attacks and noted that hackers seem to search for accessible MySQL databases that would accept their SQL commands:

The first stage of the attack involved the attacker connecting to the database server and establishing that it was running MySQL.

Threat actors already hit 3100 targets with GandCrab

The campaign starts with a search for an underlying server that would run on Windows and can accept SQL commands. Once such commands can be launched, hackers can plant GandCrab ransomware on the server and infect the targeted network. Hackers attempt to find servers that are not protected with passwords or have vulnerabilities that can be exploited.

During the initial Sophos researcher investigation, a remote server was discovered that was running software called HFS, which exposed statistics of malicious payload downloads. It shows that more than 800 malware samples delivered in the five days that the particular payload was placed on the server, along with 2300 of the older samples:

Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.

Researchers claim that, while it is not a massive attack, it is still significant, as it poses a tremendous risk to administrators running MySQL management systems and using port 3306 in the Firewall.

The notorious GandCrab ransomware used in massive malware attacks for a while

Ransomware is one of the most dangerous and damaging malware types in the wild. The particular GandCrab virus has been known for security experts since January 2018, and during its operation managed to earn a name for itself in hacking and cybersecurity community, attacking cities, companies and governmental institutions.^[5]

The month of May 2019 was already especially active for this ransomware because it was the reason that the city of Baltimore got paralyzed. GandCrab cryptovirus affected the government's computer network back on May 7th. Email, voicemail, parking database, and the whole system was shut down by the FBI to keep the infection from spreading around.

At the time of this ransomware attack, GandCrab developers demanded 13 Bitcoins to recover the system. The ransom worth about $100 000 was not paid due to the decision of Mayor Young, who tried to get the security of their system back, as well as the encrypted files without paying the criminals. Paying the demanded amount is not recommended regardless if the victim is a company or the everyday PC user.