HQ/EMEAFind out how we can help your business
A new cybercriminal campaign where hackers exploit poorly managed Microsoft SQL servers distributes the FreeWorld ransomware. Researchers of this campaign call it DB#JAMMER, and it displays a new toolset and infrastructure for its attack process.
Based on reports, the threat actors could gain initial access to a targeted host by executing a brute-force tactic to MS SQL servers. Next, the attackers could start enumerating the database and operate shell commands to compromise the system firewall after the SQL exploitation.
These methods could also enable the attackers to establish persistence on the targeted host and connect to a remote SMB share to transfer archives and malicious tools, like Cobalt Strike.
Consequently, the malicious process allows the threat actors to distribute the AnyDesk software that stores the FreeWorld ransomware. Other investigations revealed that the threat actors behind these attacks could establish RDP persistence via Ngrok.
After researchers noticed similarities, the FreeWorld ransomware could be a variant of another notorious strain.
The FreeWorld ransomware seems to be a variant of the Mimic ransomware since it employs the same tactics, techniques, and procedures (TTPs). One of the overlaps between the two strains is using a legit app called Everything[.]exe to query and identify targeted files for encryption.
The ransomware encrypts the targeted host and uses the [.]FreeWorldEncryption extension to append the encrypted files after execution. Furthermore, the campaign generates a text file dubbed FreeWorld-Contact[.]txt that includes instructions on complying with the threat actors’ ransom demands.
The continuous growth of cyber criminals who exploit flawed SQL servers has increased significantly over the past few years. The most recent cybercriminal group that used such servers is Trigona ransomware. The ransomware operators targeted poorly configured MS SQL servers to launch their malicious payload.
Experts emphasised that organisations should use solid and hard-to-guess passwords since the attack process primarily uses brute force campaigns. Furthermore, the researchers advise users to adopt a legitimate VPN service for remote service access. Firms could minimise the effects of such movements by reducing the attack surface linked with MS SQL services.
