FreeWorld Ransomware Deployed via Targeted Microsoft SQL Server Attacks

Written by Gabby Lee

September 2, 2023

FreeWorld Ransomware Deployed via Targeted Microsoft SQL Server Attacks

A new campaign dubbed DB#JAMMER has come to light where threat actors are targeting vulnerable Microsoft SQL (MS SQL) servers, capitalizing on lax security measures to execute a multi-faceted attack. This campaign is notable not only for its malicious intent but also for the sophistication of its toolset and infrastructure deployment.

Researchers from the cybersecurity firm Securonix, namely Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, shed light on the intricacies of this operation.

The attackers employ a range of tools, including enumeration software, Remote Access Trojan (RAT) payloads, exploit kits, credential-stealing software, and ransomware payloads. Their weapon of choice in the ransomware category appears to be a variant of Mimic ransomware known as FreeWorld.

The attack unfolds in a series of well-coordinated steps. Initial access is gained through brute-force attacks on MS SQL servers. Once inside, the attackers enumerate the database and utilize the xp_cmdshell configuration option to execute shell commands and gather reconnaissance data.

Subsequently, they impair the system firewall and establish persistence by connecting to a remote SMB share to transfer files and install malicious tools, such as Cobalt Strike.

This sets the stage for the distribution of AnyDesk software, a remote desktop application often misused by attackers for unauthorized access.

Ultimately, the attackers deploy the FreeWorld ransomware, but not before executing lateral movement within the compromised network. Notably, they also attempted, albeit unsuccessfully, to establish RDP persistence through Ngrok.

The researchers underscore the critical importance of robust password security, especially for services exposed to the public.

In the broader context of ransomware threats, the emergence of the Rhysida ransomware in May 2023 has drawn attention. Rhysida adopts a concerning tactic of encrypting and exfiltrating sensitive data from organizations, leveraging the threat of data leaks to compel victims to pay. Notably, this campaign has claimed 41 victims, with over half located in Europe.

Additionally, a free decryptor has been released for the Key Group ransomware due to multiple cryptographic errors in the program. However, this Python script is only effective on samples compiled after August 3, 2023.

Dutch cybersecurity company EclecticIQ has shed light on the encryption technique employed by Key Group, highlighting the presence of a static salt, a notable flaw in the encryption routine.

The year 2023 has witnessed a concerning surge in ransomware attacks, following a relative lull in 2022. However, the percentage of incidents resulting in ransom payment has decreased significantly, standing at a record low of 34%, according to statistics from Coveware in July 2023. Paradoxically, the average ransom amount paid has surged, reaching $740,144, marking a 126% increase from Q1 2023.

As ransomware threat actors continue to refine their extortion methods, including sharing details of their attack techniques, the landscape of cyber threats remains dynamic and challenging. Insurers are now faced with the task of assessing coverage for ransomware-related incidents in this evolving threat landscape.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!