Microsoft SQL Server Breach Campaign Unleashes Cobalt Strike and FreeWorld Ransomware

Hackers have adopted a new strategy to compromise Microsoft SQL servers, utilizing them as a conduit for delivering both Cobalt Strike and a ransomware strain known as FreeWorld. In a recent report by cybersecurity researchers at Securonix, these unknown threat actors are employing a multifaceted approach to infiltrate vulnerable MS SQL servers.

The attackers commence by employing brute-force techniques in their attempts to breach MS SQL servers with inadequate protection. Once they successfully gain access, they initiate a sequence of actions, including the deployment of a Cobalt Strike beacon, lateral movement across the target network and endpoints, and ultimately, the introduction of the FreeWorld ransomware.

FreeWorld appears to be a variant of the previously identified encryptor called Mimic. Although the campaign’s ultimate objectives, such as stealing sensitive data and encrypting endpoints, remain consistent with typical ransomware attacks, the hackers exhibit a distinctive approach by utilizing an array of tools and infrastructure. Securonix elaborated on these tools, noting that they encompass enumeration software, RAT payloads, exploitation and credential-stealing software, and culminate in the deployment of ransomware payloads.

Researchers emphasize that the success of this campaign hinges entirely on the strength of the password securing an MS SQL server. They concluded that “the importance of strong passwords, especially on publicly exposed services,” cannot be understated. Ultimately, it is the servers with weak passwords that fall victim to compromise.

Ransomware continues to be a prevalent form of cybercrime. After a relatively calm 2022, this year has witnessed a surge in ransomware attacks, as highlighted by data from Coveware. Simultaneously, heightened awareness among potential victims has resulted in fewer organizations succumbing to ransom demands. According to the same source, the percentage of compromised organizations that actually paid the ransom fell to an all-time low of 34%.

However, for those organizations that did opt to pay the ransom, the financial toll was substantial. The average ransom payment exceeded $700,000, marking a significant increase of 126% compared to the first quarter of 2023.