FreeWorld Ransomware Expected to be Used By Threat Actors Targeting Microsoft SQL

FreeWorld Ransomware Expected to be Used By Threat Actors Targeting Microsoft SQL

Cobalt Strike and a FreeWorld ransomware version are being distributed by malicious actors using Microsoft SQL (MS SQL) servers that are not fully protected.

The cybersecurity firm Securonix has dubbed this campaign “DB#JAMMER” and highlighted its unique approach to using infrastructure and toolkits.

Security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov describe the campaign as involving a variety of tools, including scanning software, Remote Access Trojan (RAT) payloads, exploitation and credential theft software, and eventually ransomware payloads.

The most popular ransomware payload appears to be the FreeWorld variant of the Mimic ransomware, which was just released. The victim’s host is first breached by a brute-force attack on the MS SQL server. Utilizing this technique, the database is listed, and the xp_cmdshell configuration option is utilized to run shell commands and carry out reconnaissance.

The system firewall is then disabled, and an ongoing presence is established. This is done by installing malicious software like Cobalt Strike and connecting to a remote SMB share to make it easier to transfer files to and from the victim’s computer.

This series of incidents prepares the ground for the AnyDesk software rollout, which serves as a prelude to the FreeWorld ransomware introduction. However, a lateral movement procedure is carried out first before doing this. It’s important to note that the attackers tried unsuccessfully to use Ngrok to achieve RDP persistence.

The researchers emphasized that “the attack initially succeeded due to a brute force attack on an MS SQL server.” Furthermore, it is impossible to stress the need for strong passwords, especially for services that are available to the general public. This information is being made public at a time when the Rhysida ransomware’s developers have claimed 41 victims, the majority of whom are located in Europe.

The relatively new ransomware strain Rhysida, which first appeared in May 2023, has embraced a strategy that is becoming more and more popular: it not only encrypts but also steals valuable data from the targeted organizations. The operators threaten to release this exfiltrated material in an effort to coerce victims into paying a ransom.

This discovery follows the public release of a free decryptor for the Key Group ransomware strain, another ransomware variant. Ransomware attacks have significantly increased in 2023 compared to 2022, when they were relatively calm. Surprisingly the proportion of these attacks where the victim actually paid a ransom has fallen to an all-time low of 34%. This data was reported by Coveware in July 2023.

Read also:

Abdul Wahab is a Software Engineer by profession and a Tech geek by nature. Having been associated with the tech industry for the last five years, he has covered a wide range of Tech topics and produced well-researched and engaging content. You will mostly find him reviewing tech products and writing blog posts. Binge-watching tech reviews and endlessly reading tech blogs are his favorite hobbies.