Cybercriminals are targeting interned-exposed and poorly-secured Microsoft SQL (MS-SQL) servers via brute-force or dictionary attacks. The ultimate aim of the attackers' SQL is to deploy the Trigona ransomware.
Hacking into MS-SQL servers
According to AhnLab, the Trigona ransomware operation is only accepting ransom payments in Monero from victims around the world. It was first spotted in October 2022. - After connecting to a SQL server, the attackers deploy CLR Shell malware. It is used for altering account configurations, harvesting system details, and escalating privileges to LocalSystem.
- The attackers exploit the CVE-2016-0099 vulnerability in the Windows Secondary Logon Service, to launch the ransomware.
- In the next stage, they install and execute a dropper malware as svcservice[.]exe. It is further used to run the Trigona ransomware as svchost[.]exe.
The attackers have configured the ransomware binary to launch automatically on every system restart using a Windows autorun key to ensure the systems will be encrypted even after rebooting.
Attack approach
Before encryption, the attackers claim to steal sensitive documents that will be added to dark web leak sites if the ransom is not paid. - Next, the ransomware renames locked files by adding the ._locked extension and adds the locked decryption key, victim ID, and campaign ID (firm’s name) in each locked file.
- It creates a ransom note how_to_decrypt[.]hta in every folder with details related to the attack, a link to the Tor negotiation website, and a link to the authorization key to log into the negotiation site.
What to do?
As Trigona operators use brute-force attacks, experts recommend that admins use passwords that cannot be guessed easily and change them regularly. Further, deploy security software including firewalls for database servers exposed to the internet to limit access by external entities.