Microsoft SQL Servers to Deploy FreeWorld Ransomware

Threat actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain called FreeWorld.

Cybersecurity firm Securonix, which has dubbed the campaign DB#JAMMER, said it stands out for the way the toolset and infrastructure is employed.

"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity.

"The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld."

Initial access to the victim host is achieved by brute-forcing the MS SQL server, using it to enumerate the database and leveraging the xp_cmdshell configuration option to run shell commands and conduct reconnaissance.

Cybersecurity

The next stage entails taking steps to impair system firewall and establish persistence by connecting to a remote SMB share to transfer files to and from the victim system as well as install malicious tools such as Cobalt Strike.

This, in turn, paves the way for the distribution of AnyDesk software to ultimately push FreeWorld ransomware, but not before carrying out a lateral movement step. The unknown attackers are also said to have unsuccessfully attempted to establish RDP persistence through Ngrok.

"The attack initially succeeded as a result of a brute force attack against a MS SQL server," the researchers said. "It's important to emphasize the importance of strong passwords, especially on publicly exposed services."

This is not the first time poorly managed MS SQL servers have been targeted by threat actors to deploy malware. Last week, AhnLab Security Emergency Response Center (ASEC) detailed a new wave of cyber assaults designed to deploy LoveMiner and projacking software on compromised servers.

The disclosure comes as the operators of the Rhysida ransomware have claimed 41 victims, with more than half of them located in Europe.

Rhysida is one of the nascent ransomware strains that emerged in May 2023, adopting the increasingly popular tactic of encrypting and exfiltrating sensitive data from organizations and threatening to leak the information if the victims refuse to pay.

Microsoft SQL Servers to Deploy FreeWorld Ransomware

It also follows the release of a free decryptor for a ransomware strain called Key Group by taking advantage of multiple cryptographic errors in the program. The Python script, however, only works on samples compiled after August 3, 2023.

"Key Group ransomware uses a base64 encoded static key N0dQM0I1JCM= to encrypt victims' data," Dutch cybersecurity company EclecticIQ said in a report released Thursday.

"The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process which poses a significant flaw in the encryption routine."

Cybersecurity

2023 has witnessed a record surge in ransomware attacks following a lull in 2022, even as the percentage of incidents that resulted in the victim paying have fallen to a record low of 34%, according to statistics shared by Coveware in July 2023.

The average ransom amount paid, on the other hand, has hit $740,144, up 126% from Q1 2023.

The fluctuations in monetization rates have been accompanied by ransomware threat actors continuing to evolve their extortion tradecraft, including sharing details of their attack techniques to show why the victims aren't eligible for a cyber insurance payout.


"Snatch claims they will release details of how attacks against non-paying victims succeeded in the hope that insurers will decide that the incidents should not be covered by insurance ransomware," Emsisoft security researcher Brett Callow said in a post shared on X (formerly Twitter) last month.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.