Hackers Attacking MSSQL Servers To Deploy Ransomware

Recently, threat actors have been utilizing brute force attacks to compromise exposed MSSQL databases to distribute the FreeWorld ransomware.

This attack campaign, dubbed DB#JAMMER, is notable, according to Securonix Threat Labs, for the way its infrastructure and toolkit are used.


Enumeration software, RAT payloads, exploitation and stealing of credentials software, and ransomware payloads are a few of these tools. 

The FreeWorld is a more recent version of Mimic ransomware. The FreeWorld text appeared in binary file names as well as ransomware extensions.

“Threat actors targeted an MSSQL server and were able to gain a code execution foothold on the host using the enabled xp_cmdshell function present on the server,” researchers said.

Upon exploitation, the attackers started enumerating the system, issuing shell commands to weaken security, and deploying tools that let them stay persistent on the host.

How the Attack is Carried Out?

By brute forcing an MSSQL login, the threat actors got into the target host. After successfully establishing a connection, they immediately scanned the database for other login credentials.

After learning that the MSSQL function xp_cmdshell stored procedure was enabled, the attackers then started executing shell commands on the system. This function, which allows the execution of orders, should typically not be activated until necessary.

The attackers carried out various operations on the host, including user creation and modification and registry alterations. 

Reports say that the commands were executed in fast sequence, indicating that they were most likely copying them from their end’s tool list or document.

Three new users—Windows, adminv$, and mediaadmin$—were created on the victim host. Each user was added to the “administrators” and “remote desktop users” lists.

Weirdly, the attackers tried to run a lengthy one-liner to create users and change group membership. Still, many iterations of the command were run to account for groups in different languages.

User creation/modification command example

Many of the system defenses, particularly those related to network security and RDP authentications, have been turned off by the attackers.

Attackers connected to a remote SMB share to move tools in and out. Using the network share, the attacker installed malicious tools like cobalt strike and moved files to and from the victim’s PC.

For the eventual dissemination of the FreeWorld ransomware through the AnyDesk software distribution, but not before performing a lateral movement step. Additionally, it is claimed that the unidentified attackers tried unsuccessfully using Ngrok to create RDP persistence.

FreeWorld ransomware note

Final Thoughts

As a result, according to researchers, it was unclear if the attackers were making random or dictionary-based password spray attempts. 

The significance of using strong passwords, especially for services accessible to the general public, must be emphasized.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.