According to cybersecurity firm Securonix, the campaign is notable for the way its infrastructure and toolkit are used. The firm has named the campaign DB#JAMMER.
"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads[…]The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld," says security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov in a technical breakdown of the activity.
The attackers first gain access to the victim host by brute-forcing the MS SQL server, enumerating the database, and exploiting the xp_cmdshell configuration option to execute shell commands and conduct reconnaissance.
Next, they take certain steps to disable system firewall in order to develop persistence and install malicious software like Cobalt Strike by connecting to a remote SMB share to transfer files to and from the targeted system.
This in turn opens the door for the eventual dissemination of the FreeWorld ransomware through the AnyDesk software distribution, but not before performing a lateral movement phase. Additionally, it is claimed that the unidentified attackers tried in vain to use Ngrok to establish RDP persistence.
The researchers concluded, "The attack initially succeeded as a result of a brute force attack against a MS SQL server[…]It's important to emphasize the importance of strong passwords, especially on publicly exposed services"
According to figures released by Coveware in July 2023, the year has seen a record-breaking increase in ransomware assaults following a calm in 2022, even if the proportion of instances that ended in the victim paying has decreased to a record-low of 34%.
The reports also noted that on an average, the in hand amount paid as ransom in a ransomware has hit a whopping $740,144, 126% from Q1 2023.
Moreover, fluctuations in monetization rates have synchronized well with the developments in extortion tradecraft executed by ransomware threat actors, disclosing specifics of their attack methods to demonstrate why the victims are ineligible for a cyber insurance claim.
"Snatch claims they will release details of how attacks against non-paying victims succeeded in the hope that insurers will decide that the incidents should not be covered by insurance ransomware," Emsisoft security researcher Brett Callow said in a post shared on X (formerly Twitter) last month.