Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FreeWorld Ransomware. Show all posts

Threat Actors Exploits SQL Servers to Deploy FreeWorld Ransomware


Threat actors are exploiting vulnerable Microsoft SQL servers, deploying Cobalt Strike and a ransomware strain named FreeWorld. 

According to cybersecurity firm Securonix, the campaign is notable for the way its infrastructure and toolkit are used. The firm has named the campaign DB#JAMMER.

"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads[…]The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld," says security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a technical breakdown of the activity.

The attackers first gain access to the victim host by brute-forcing the MS SQL server, enumerating the database, and exploiting the xp_cmdshell configuration option to execute shell commands and conduct reconnaissance.

Next, they take certain steps to disable system firewall in order to develop persistence and install malicious software like Cobalt Strike by connecting to a remote SMB share to transfer files to and from the targeted system.

This in turn opens the door for the eventual dissemination of the FreeWorld ransomware through the AnyDesk software distribution, but not before performing a lateral movement phase. Additionally, it is claimed that the unidentified attackers tried in vain to use Ngrok to establish RDP persistence.

The researchers concluded, "The attack initially succeeded as a result of a brute force attack against a MS SQL server[…]It's important to emphasize the importance of strong passwords, especially on publicly exposed services"

According to figures released by Coveware in July 2023, the year has seen a record-breaking increase in ransomware assaults following a calm in 2022, even if the proportion of instances that ended in the victim paying has decreased to a record-low of 34%. 

The reports also noted that on an average, the in hand amount paid as ransom in a ransomware has hit a whopping $740,144, 126% from Q1 2023. 

Moreover, fluctuations in monetization rates have synchronized well with the developments in extortion tradecraft executed by ransomware threat actors, disclosing specifics of their attack methods to demonstrate why the victims are ineligible for a cyber insurance claim. 

"Snatch claims they will release details of how attacks against non-paying victims succeeded in the hope that insurers will decide that the incidents should not be covered by insurance ransomware," Emsisoft security researcher Brett Callow said in a post shared on X (formerly Twitter) last month.

Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Cybercriminals are taking advantage of vulnerable Microsoft SQL (MS SQL) servers to distribute both Cobalt Strike and a ransomware variant known as FreeWorld. This campaign, named DB#JAMMER by cybersecurity firm Securonix, is notable for its unique use of tools and infrastructure. 

The name "FreeWorld" is given to this ransomware because it has certain unique characteristics. For example, the files it encrypts have names that include the word "FreeWorld." Additionally, when it locks your files, it leaves behind a file with instructions for paying the ransom, and this file is named FreeWorld-Contact.txt. Lastly, the encrypted files get a special ending called ".FreeWorldEncryption." 

Securonix's investigation reveals that the campaign typically starts with attackers brute-forcing access to exposed MSSQL databases. Once inside, they expand their control over the target system, using MSSQL as a launching point for various malicious payloads. These payloads include remote-access Trojans (RATs). 

"Some of these tools include enumeration software, RAT payloads, exploitation and credential-stealing software, and finally ransomware payloads. The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity. 

As a result, they gain control over the infected computer and can access shared files and deploy harmful tools like Cobalt Strike. This sets the stage for installing AnyDesk software, which is used to spread the FreeWorld ransomware. Sometimes, the attackers also try to establish persistence using Ngrok for remote desktop access. 

"The attack initially succeeded as a result of a brute force attack against a MS SQL server. It is important to emphasize the importance of strong passwords, especially on publicly exposed services," the researchers added. Vulnerable SQL servers remain a prime target for attackers. 

As seen in recent reports, Palo Alto Network's Unit 42 noted a substantial 174% increase in ransomware attacks by the TargetCompany group, with a specific focus on exploiting vulnerable SQL servers worldwide. In a separate incident, actors associated with the Trigona ransomware targeted poorly configured MS SQL servers to execute their ransomware attacks.