Cyber Threat Actors Exploiting Vulnerable Microsoft SQL Servers for FreeWorld Ransomware Attacks

In a concerning development, threat actors have been observed targeting inadequately secured Microsoft SQL (MS SQL) servers to execute attacks involving the deployment of Cobalt Strike and a ransomware strain known as FreeWorld.

The cybersecurity firm Securonix has labeled this campaign as DB#JAMMER, noting its distinctiveness in terms of the toolset and infrastructure employed.

Security researchers provided a detailed insight into the campaign’s activities, stating, “Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld.”

The attack initiates by gaining initial access to the victim’s host through brute-force attacks on the MS SQL server.

Once inside, the attackers proceed to enumerate the database and exploit the xp_cmdshell configuration option to execute shell commands and gather reconnaissance information.

The subsequent stage involves disabling the system firewall and establishing persistence by connecting to a remote SMB share to transfer files to and from the compromised system. Malicious tools such as Cobalt Strike are also installed during this phase.

This series of actions ultimately enables the attackers to distribute AnyDesk software, a stepping stone towards the deployment of the FreeWorld ransomware.

However, before executing the ransomware, the attackers conduct lateral movement activities. Additionally, they made an unsuccessful attempt to establish RDP persistence through Ngrok.

The researchers emphasized that the initial success of the attack was due to a brute force attack against the MS SQL server. This underscores the critical importance of implementing strong passwords, especially for publicly exposed services.

This disclosure comes as the operators behind the Rhysida ransomware claim to have victimized 41 organizations, with over half of them situated in Europe. Rhysida, a relatively new ransomware strain that surfaced in May 2023, adopts the tactic of encrypting and exfiltrating sensitive data from organizations, threatening to leak the information unless a ransom is paid.

In related news, a free decryptor has been released for a ransomware strain known as Key Group, exploiting cryptographic vulnerabilities in the program.

However, it’s worth noting that this Python script is effective only on samples compiled after August 3, 2023.

The threat actor tried to increase the randomness of the encrypted data by using a cryptographic technique called salting. The salt was static and used for every encryption process, which poses a significant flaw in the encryption routine.

The year 2023 has witnessed a significant surge in ransomware attacks, following a comparatively quieter 2022. Interestingly, the percentage of incidents resulting in victims paying ransoms has decreased to a record low of 34%, as reported by Coveware in July 2023. However, the average ransom amount paid has skyrocketed, rising by 126% from Q1 2023 to reach $740,144.

These fluctuations in ransomware monetization rates have coincided with ransomware threat actors evolving their extortion tactics, including sharing details of their attack techniques to demonstrate why victims do not qualify for cyber insurance payouts.