Ongoing Ransomware Campaign Actively Exploiting a Vulnerability in Fortra’s GoAnywhere

Published on 25 Mar 2023 | Updated on 25 Mar 2023

There is an ongoing ransomware campaign actively exploiting a vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere Managed File Transfer (MFT), a system that allows companies to securely transfer huge sets of data and other large files.

Successful exploitation of the pre-authentication command injection vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed to the Internet.

Possible indicators of compromise (IOCs) associated with the ongoing ransomware campaign are shown in the table below.

Type Indicator Description
IP 5[.]188[.]206[.]76 Malware Host
IP 92[.]118[.]36[.]213 Command and Control
Domain qweastradoc[.]com Command and Control
File Name gamft.dll Malware DLL
File Name larabqFa.exe Malware Executable
File Name Pxaz.dll Malware DLL

Users and administrators with Internet-exposed GoAnywhere MFT administration console are advised to download the security patch immediately.

Network administrators are also advised to scan their networks for the presence of IOCs and configure their firewall rules to block connections to domains associated with the campaign. Network administrators are recommended to limit open ports to necessary systems and consider changing the default ports (i.e. 8000 and 8001) of GoAnywhere Administrator that have been observed in vulnerable GoAnywhere MFT instances.

Users and administrators may refer to our advisory on how to protect their systems and data from ransomware threats at:

If your organisation is a victim of a ransomware incident, please refer to our ransomware response checklist at:

More information is available here: