Threat actors are using weakly protected Microsoft SQL (MS SQL) servers to distribute Cobalt Strike and the FreeWorld ransomware strain.
The campaign, which the cybersecurity company Securonix has named DB#JAMMER, is notable, according to Securonix, for the way its infrastructure and toolkit are used.
Security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov provided a technical explanation of the activity. “Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads,” they added.
The preferred ransomware payload seems to be a more recent version of Mimic malware named FreeWorld.
By brute-forcing the MS SQL server, enumerating the database, and exploiting the xp_cmdshell configuration option to execute shell commands and conduct reconnaissance, the attacker first gains access to the victim host.
The following stage comprises taking actions to disable the system firewall, establish persistence, and install malicious software like Cobalt Strike by connecting to a remote SMB share to transfer files to and from the victim machine.
This in turn opens the door for the eventual dissemination of the FreeWorld ransomware through the AnyDesk software distribution, but not before performing a lateral movement phase. Additionally, it is claimed that the unidentified attackers tried in vain to use Ngrok to establish RDP persistence.
The researchers claimed that a brute force assault against an MS SQL server was the reason why the attack initially succeeded. Strong passwords are essential, especially for services that are accessible to the public, it should be emphasized.
The revelation comes as the Rhysida ransomware’s creators have claimed 41 victims, more than half of them are in Europe.
Rhysida is one of the young ransomware strains that first appeared in May 2023. It uses the method that is becoming more and more common: it encrypts and steals important data from businesses and threatens to disclose it if the victims don’t pay.
It also uses a number of cryptographic flaws in the application to exploit the publication of a free decryptor for a ransomware strain known as Key Group. However, the Python script only functions with samples created after August 3, 2023.
The data of victims is encrypted by the Key Group ransomware using a base64 encoded static key called N0dQM0I1JCM=, according to a report published on Thursday by the Dutch cybersecurity firm EclecticIQ.
“The threat actor used a cryptographic method known as salting to try to increase the randomness of the encrypted data. This creates a serious weakness in the encryption procedure because the salt was static and used in every encryption step.
According to figures released by Coveware in July 2023, 2023 saw a record-breaking increase in ransomware assaults following a calm in 2022, even if the proportion of instances that ended in the victim paying has decreased to a record-low of 34%.
On the other side, the average ransom paid has increased by 126% from Q1 2023 to $740,144.
Ransomware threat actors have been evolving their extortion tradecraft in tandem with swings in monetization rates, disclosing specifics of their attack methods to demonstrate why the victims are ineligible for a cyber insurance claim.
In a message published last month on X (previously Twitter), security researcher Brett Callow from Emsisoft stated that “Snatch claims they will release details of how attacks against non-paying victims succeeded in the hope that insurers will decide that the incidents should not be covered by insurance ransomware.”