Protecting Your MSSQL Databases: Defending Against the FreeWorld Ransomware Threat

The .txt file generated by FreeWorld ransomware, from Securonix Threat Research

A new cyberattack campaign named “DB#JAMMER” has emerged, specifically targeting exposed Microsoft SQL Server (MSSQL) databases. The implications of this campaign are nothing short of severe, especially for organizations relying on this technology, as DB#JAMMER is no ordinary cyberattack; it’s a well-choreographed assault that employs intricate tactics, including relentless brute-force attacks aimed at breaching MSSQL servers. Once these digital intruders gain access, they unleash a barrage of malicious payloads, comprising ransomware and the notorious Cobalt Strike. The aftermath of such an attack can be catastrophic, as it wreaks havoc on compromised systems. Securonix, a leading cybersecurity research firm, has been at the forefront of investigating this threat. They’ve diligently uncovered the inner workings of DB#JAMMER, shedding light on its complex attack sequence and the potential havoc it can wreak on businesses worldwide.

The Attack Sequence

DB#JAMMER is not your run-of-the-mill cyberattack; it follows a meticulously orchestrated sequence of steps designed to infiltrate and compromise MSSQL databases:

  • Initial Access: The campaign commences with determined brute-force attempts to gain unauthorized access to exposed MSSQL databases. These relentless efforts allow the attackers to breach the first line of defense.
  • Expanding Foothold: Once inside, the attackers embark on expanding their presence within the target system. They capitalize on the compromised MSSQL server as a strategic launching pad for a multitude of malicious payloads.
  • Payload Delivery: The attackers, operating with precision, unleash an array of malicious payloads. Among them are remote-access Trojans (RATs) and a recently discovered ransomware variant known as “FreeWorld.” This ransomware strain earned its moniker due to its distinct characteristics, including file names containing “FreeWorld,” a ransom instruction file titled FreeWorld-Contact.txt, and the “.FreeWorldEncryption” extension used for encrypted files.
  • Establishing Persistence: To ensure they maintain control over the compromised system, the threat actors take further steps. They create a remote SMB share to house their malicious tools. Within this repository, you’ll find a Cobalt Strike command-and-control agent (srv.exe) and AnyDesk. Additionally, they employ a network port scanner and Mimikatz, a tool for extracting credentials and moving laterally within the network.
  • Configuration Changes: The attackers don’t stop at payload delivery; they also make strategic configuration changes. These alterations include creating or modifying user accounts and tweaking registry settings, all intended to hinder the system’s natural defenses.

An Ongoing Threat

As of the latest updates, the DB#JAMMER campaign still poses a significant threat. Although it seems to have specific targets initially, the campaign’s risk remains dangerous. This is because there are signs that the attackers might go beyond attacking just MSSQL databases, possibly affecting a wider range of systems and organizations. “At this point, our current assessment indicates a medium to high risk level because there are indications that the infiltration vectors employed by the attackers may extend beyond MSSQL,” emphasized Oleg Kolesnikov, Vice President of Threat Research and Cybersecurity at Securonix. Kolesnikov also mentions that the DB#JAMMER campaign was unique in its complex patterning, which means that if broadened the attacks could be devastating. “This is not something we have been seeing often, and what truly sets this attack sequence apart is the extensive tooling and infrastructure used by the threat actors,” he points out. This evolving threat landscape emphasizes the importance of organizations strengthening their defenses, not only for MSSQL databases but for their entire digital infrastructure, to protect against the growing danger of DB#JAMMER.

Protecting Your MSSQL Databases

To fortify your defenses against threats like DB#JAMMER and ransomware in general, consider adopting the following security measures:

  • Limit Internet Exposure: Reduce your attack surface by restricting the exposure of MSSQL services to the internet. If feasible, avoid allowing external connections, as weak account credentials are often exploited through these avenues.
  • Implement Comprehensive Defenses: Develop a profound understanding of the attack progression and behaviors leveraged by malicious actors. Consider disabling or tightly restricting the use of potentially risky features like “xp_cmdshell.”
  • Enhance Logging: Augment your security posture by monitoring common malware staging directories, with particular focus on “C:\Windows\Temp.” Deploy additional process-level logging tools like Sysmon and PowerShell logging to enhance your detection capabilities.
  • Stay Informed: Stay vigilant and informed about the ever-evolving landscape of cybersecurity threats and trends. This knowledge will empower you to adapt your security measures accordingly, ensuring you stay one step ahead of potential attackers.

In an era marked by a surge in ransomware attacks, safeguarding your MSSQL databases is no longer just a choice—it’s an absolute necessity. Implementing these proactive security measures can significantly strengthen your defenses against potent threats like FreeWorld ransomware, allowing you to safeguard your invaluable data. In today’s ever-evolving threat landscape, staying ahead is not a luxury; it’s essential to protect the critical assets and operations relying on MSSQL databases.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.