At least one Chinese hacking crew is currently scanning the internet for Windows servers that are running MySQL databases so they can infect these systems with the GandCrab ransomware. These attacks are somewhat unique, as cyber-security firms have not seen any threat actor until now that has attacked MySQL servers running on Windows systems to infect them with ransomware. Brandt said hackers would scan for internet-accessible MySQL databases that would accept SQL commands, check if the underlying server would run on Windows, and then use malicious SQL commands to plant a file on the exposed servers, which they'd later execute, infecting the host with the GandCrab ransomware. The Sophos researcher tracked these attacks back to a remote server, which had an open directory running server software called HFS, which exposed download stats for the attacker's malicious payloads. "The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe).