Cybercriminals are taking advantage of vulnerable Microsoft SQL (MS SQL) servers to distribute both Cobalt Strike and a ransomware variant known as FreeWorld. This campaign, named DB#JAMMER by cybersecurity firm Securonix, is notable for its unique use of tools and infrastructure.
The name "FreeWorld" is given to this ransomware because it has certain unique characteristics. For example, the files it encrypts have names that include the word "FreeWorld." Additionally, when it locks your files, it leaves behind a file with instructions for paying the ransom, and this file is named FreeWorld-Contact.txt. Lastly, the encrypted files get a special ending called ".FreeWorldEncryption."
Securonix's investigation reveals that the campaign typically starts with attackers brute-forcing access to exposed MSSQL databases. Once inside, they expand their control over the target system, using MSSQL as a launching point for various malicious payloads. These payloads include remote-access Trojans (RATs).
"Some of these tools include enumeration software, RAT payloads, exploitation and credential-stealing software, and finally ransomware payloads. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity.
As a result, they gain control over the infected computer and can access shared files and deploy harmful tools like Cobalt Strike. This sets the stage for installing AnyDesk software, which is used to spread the FreeWorld ransomware. Sometimes, the attackers also try to establish persistence using Ngrok for remote desktop access.
"The attack initially succeeded as a result of a brute force attack against a MS SQL server. It is important to emphasize the importance of strong passwords, especially on publicly exposed services," the researchers added.
Vulnerable SQL servers remain a prime target for attackers.
As seen in recent reports, Palo Alto Network's Unit 42 noted a substantial 174% increase in ransomware attacks by the TargetCompany group, with a specific focus on exploiting vulnerable SQL servers worldwide. In a separate incident, actors associated with the Trigona ransomware targeted poorly configured MS SQL servers to execute their ransomware attacks.
