Menace actors are exploiting poorly secured Microsoft SQL (MS SQL) servers to ship Cobalt Strike and a ransomware pressure referred to as FreeWorld.
Cybersecurity agency Securonix, which has dubbed the marketing campaign DB#JAMMER, stated it stands out for the way in which the toolset and infrastructure is employed.
“A few of these instruments embrace enumeration software program, RAT payloads, exploitation and credential stealing software program, and at last ransomware payloads,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov stated in a technical breakdown of the exercise.
“The ransomware payload of alternative seems to be a more recent variant of Mimic ransomware referred to as FreeWorld.”
Preliminary entry to the sufferer host is achieved by brute-forcing the MS SQL server, utilizing it to enumerate the database and leveraging the xp_cmdshell configuration choice to run shell instructions and conduct reconnaissance.
The following stage entails taking steps to impair system firewall and set up persistence by connecting to a distant SMB share to switch information to and from the sufferer system in addition to set up malicious instruments similar to Cobalt Strike.
This, in flip, paves the way in which for the distribution of AnyDesk software program to in the end push FreeWorld ransomware, however not earlier than finishing up a lateral motion step. The unknown attackers are additionally stated to have unsuccessfully tried to determine RDP persistence by means of Ngrok.
“The assault initially succeeded because of a brute pressure assault towards a MS SQL server,” the researchers stated. “It is essential to emphasise the significance of robust passwords, particularly on publicly uncovered providers.”
The disclosure comes because the operators of the Rhysida ransomware have claimed 41 victims, with greater than half of them positioned in Europe.
Rhysida is likely one of the nascent ransomware strains that emerged in Could 2023, adopting the more and more in style tactic of encrypting and exfiltrating delicate knowledge from organizations and threatening to leak the data if the victims refuse to pay.
It additionally follows the discharge of a free decryptor for a ransomware pressure referred to as Key Group by benefiting from a number of cryptographic errors in this system. The Python script, nevertheless, solely works on samples compiled after August 3, 2023.
“Key Group ransomware makes use of a base64 encoded static key N0dQM0I1JCM= to encrypt victims’ knowledge,” Dutch cybersecurity firm EclecticIQ stated in a report launched Thursday.
“The menace actor tried to extend the randomness of the encrypted knowledge through the use of a cryptographic method referred to as salting. The salt was static and used for each encryption course of which poses a big flaw within the encryption routine.”
2023 has witnessed a document surge in ransomware assaults following a lull in 2022, at the same time as the proportion of incidents that resulted within the sufferer paying have fallen to a document low of 34%, in line with statistics shared by Coveware in July 2023.
The typical ransom quantity paid, alternatively, has hit $740,144, up 126% from Q1 2023.
The fluctuations in monetization charges have been accompanied by ransomware menace actors persevering with to evolve their extortion tradecraft, together with sharing particulars of their assault strategies to point out why the victims aren’t eligible for a cyber insurance coverage payout.
“Snatch claims they may launch particulars of how assaults towards non-paying victims succeeded within the hope that insurers will determine that the incidents shouldn’t be coated by insurance coverage ransomware,” Emsisoft security researcher Brett Callow stated in a publish shared on X (previously Twitter) final month.
