Hackers are breaking into Microsoft SQL servers that are not secured well. They are putting in Cobalt Strike and ransomware called FreeWorld.
“The hackers use programs to look around the system, put in remote access tools, steal logins, and finally ransomware,” researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov explained.
“The ransomware they like to use is a new version of Mimic ransomware called FreeWorld.”
The hackers first get into the system by guessing the password for the Microsoft SQL server. They look around the database and use a setting called xp_cmdshell to run commands and look around more.
Next they change firewall settings and make their tools stay on the system. They connect to a remote shared folder to move files around and install bad programs like Cobalt Strike.
Then they install AnyDesk software to finally push the FreeWorld ransomware. But first they try to move around more on the system. The hackers also tried but failed to set up remote desktop access through Ngrok.
“The attack worked because they guessed the password for a Microsoft SQL server,” the researchers said. “This shows why strong passwords are important, especially on systems open to the public.”
This news comes as the hackers behind the Rhysida ransomware say they have hit 41 victims. More than half are in Europe.
Rhysida is a new ransomware that started in May 2023. It encrypts and steals sensitive data, and threatens to leak it if the victim doesn’t pay.
Also, a free tool was released to decrypt the Key Group ransomware. It takes advantage of mistakes in the program’s encryption. But the Python tool only works on versions compiled after August 3, 2023.
“Key Group ransomware uses a static base64 encoded key to encrypt data,” researchers at EclecticIQ said.
“The hackers tried to make the encrypted data more random using a technique called salting. But the salt was static and used for every encryption, which is a major weakness.”
2023 has seen a record number of ransomware attacks after a drop in 2022. But only 34% of victims pay now, a record low, according to Coveware in July 2023.
But the average ransom paid is up to $740,144, 126% higher than in early 2023.
Ransomware hackers are still evolving how they pressure victims, like sharing how the attack worked to show why insurance shouldn’t cover it.
“Snatch says they will release attack details for non-paying victims, hoping insurers won’t cover it,” researcher Brett Callow said.