Hackers scan for MySQL ransomware targets

New research indicates threat actors are scanning for vulnerable MySQL servers in an effort to spread GandCrab ransomware.

Andrew Brandt, principal researcher at Sophos, saw the attack hit a honeypot MySQL server and discovered malicious actors attempting to install GandCrab ransomware. Brandt noted that the attempted MySQL ransomware attack called a directory with a Chinese user interface in order to download the ransomware files.

MySQL — an open source relational database management system developed by Oracle — is the most popular database technology, according to technographics firm Datanyze, with more than 52% of the market share. Although Brandt would not comment on how widespread these attacks might be, he pointed out this Chinese user interface showed how many times the hosted ransomware files had been downloaded. In total, the files had been downloaded more than 3,000 times.

“Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory,” Brandt wrote in the blog post. “So while this isn’t an especially massive or widespread attack, it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world.”

Brandt said the attackers were scanning for MySQL ransomware targets via the default port 3306 and even named the GandCrab files as 3306.exe. When the attackers found an internet-accessible MySQL database, they checked if the server would accept SQL commands and if the server was running on Windows before attempting the ransomware installation.

The GandCrab ransomware is known to be dangerous, having added capabilities from EternalBlue in order to spread more easily. But, GandCrab also has a history of decryption tools being released to help victims recover data.

However, mitigating the threat should be a matter of access management, Brandt told SearchSecurity.

Anything that an attacker can use to gain a foothold inside an enterprise network could lead to worse than just a single machine’s data getting held for ransom.

Andrew BrandtPrincipal researcher, Sophos

“Admins should ensure that they are using strong, unique passwords for the root account on the database server, as well as for the administrative account(s) on the machine,” Brandt wrote via email. “If a business application needs to reach the database server directly, it should probably connect through a VPN so the database service does not need to be hosted on a port anyone can reach from the public internet.”

While Brandt would not say how widespread the threat of these MySQL ransomware attacks might be, he urged users to consider the wider ramifications of such an attack.

“This is not the kind of attack that will directly affect desktop or mobile computers, but anything that an attacker can use to gain a foothold inside an enterprise network could lead to worse than just a single machine’s data getting held for ransom,” Brandt added. “We can’t get complacent just because we think an attack such as this one might only result in a ransomware or cryptominer malware on a single, perhaps unimportant, machine.”