Threat actors are exploiting unsecured Microsoft SQL servers in a new campaign to deliver a ransomware strain called FreeWorld. Securonix researchers have dubbed the campaign DB#JAMMER and it stands out for the way the toolset and infrastructure are employed.
Attack chain
- The initial access to the victim host is achieved by brute-forcing MS SQL servers.
- Once exploited, the attackers begin enumerating the database and running shell commands to damage the system firewall.
- Consequently, this enables them to establish persistence on the host and connect to a remote SMB share to transfer files, as well as malicious tools such as Cobalt Strike.
- This, in turn, paves the way for the distribution of AnyDesk software deployment through which FreeWorld ransomware is deployed.
- In some cases, the attackers attempt to establish RDP persistence through Ngrok.
About FreeWorld ransomware
- FreeWorld ransomware appears to be a variant of the Mimic ransomware as it follows similar TTPs. One of the similarities is the use of a legitimate application called Everything.exe to query and locate target files to be encrypted.
- Upon execution, the ransomware encrypts the victim host and uses the.FreeWorldEncryption extension to append the encrypted files.
- After that, it creates a text file named ‘FreeWorld-Contact.txt’ with instructions on how to pay the ransom.
Vulnerable SQL servers continue to attract attackers
- Palo Alto Network’s Unit 42 revealed that the TargetCompany group showed a 174% increase in ransomware activity that exploited vulnerable SQL servers worldwide.
- In a separate incident, Trigona ransomware actors targeted weakly configured MS SQL servers to deploy the ransomware.
Conclusion
Since the attack is launched via brute force attacks, it is important to use strong and complex passwords, especially on publicly exposed services. Furthermore, it is advised to leverage a trusted VPN for remote access to services. Additionally, organizations can reduce their attack surface associated with MS SQL services by addressing the flaws or by limiting their exposure to the internet.