According to cybersecurity firm Securonix, threat actors are using poorly secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a ransomware strain known as FreeWorld.
The campaign, named DB#JAMMER, is notable for its use of various tools and infrastructure, including enumeration software, RAT payloads, exploitation and credential-stealing software, and ransomware payloads.
The preferred ransomware payload is a newer variant of Mimic ransomware called FreeWorld.
The attackers gain initial access to the victim host by brute-forcing the MS SQL server and then use it to enumerate the database and run shell commands.
They also impair the system firewall, establish persistence by connecting to a remote SMB share, and install malicious tools such as Cobalt Strike.
Ultimately, they distribute AnyDesk software before pushing the FreeWorld ransomware.
The attack’s success emphasizes the importance of strong passwords, particularly for publicly exposed services.
In related news, the Rhysida ransomware operators have claimed 41 victims, with more than half located in Europe.
Rhysida encrypts and exfiltrates sensitive data, threatening to leak it if the victim refuses to pay.
A free decryptor for another ransomware strain called Key Group has been released, taking advantage of cryptographic errors in the program.
However, the decryptor only works on samples compiled after August 3, 2023.
Ransomware attacks have surged in 2023, with a record-low percentage of victims paying but an increase in the average ransom amount.
Ransomware threat actors are also sharing attack details to challenge cyber insurance coverage for non-paying victims.
Additionally, a free decryptor for Key Group ransomware has been released, taking advantage of cryptographic errors in the program.
This decryptor only works on samples compiled after August 3, 2023.
The encryption routine used by Key Group ransomware is flawed due to the static salt used for every encryption process.
In response, ransomware threat actors are evolving their extortion tactics and sharing attack details to challenge cyber insurance coverage for non-paying victims.
The year 2023 has seen a surge in ransomware attacks, with a record low percentage of victims paying but a significant increase in the average ransom amount.
