Threat Actors Exploit MS SQL Servers to Deploy FreeWorld Ransomware

Attack chain

• The initial access to the victim host is achieved by brute-forcing MS SQL servers. 
• Once exploited, the attackers begin enumerating the database and running shell commands to damage the system firewall. 
• Consequently, this enables them to establish persistence on the host and connect to a remote SMB share to transfer files, as well as malicious tools such as Cobalt Strike.
• This, in turn, paves the way for the distribution of AnyDesk software deployment through which FreeWorld ransomware is deployed.
• In some cases, the attackers attempt to establish RDP persistence through Ngrok. 

About FreeWorld ransomware

• FreeWorld ransomware appears to be a variant of the Mimic ransomware as it follows similar TTPs. One of the similarities is the use of a legitimate application called Everything.exe to query and locate target files to be encrypted. 
• Upon execution, the ransomware encrypts the victim host and uses the.FreeWorldEncryption extension to append the encrypted files. 
• After that, it creates a text file named ‘FreeWorld-Contact.txt’ with instructions on how to pay the ransom.

Vulnerable SQL servers continue to attract attackers

• Palo Alto Network’s Unit 42 revealed that the TargetCompany group showed a 174% increase in ransomware activity that exploited vulnerable SQL servers worldwide. 
• In a separate incident, Trigona ransomware actors targeted weakly configured MS SQL servers to deploy the ransomware.

Conclusion