microsoft threat

FreeWorld Ransomware: Microsoft SQL Servers on Target

2 Mins Read

PureVPNNewsFreeWorld Ransomware: Microsoft SQL Servers on Target

Threat actors exploit inadequately secured Microsoft SQL (MS SQL) servers to deliver Cobalt Strike and a type of ransomware known as FreeWorld.

“Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally, ransomware payloads,” noted security researchers.

Modus Operandi

Security firm Securonix named this campaign DB#JAMMER, highlighting the distinctive approach to utilizing the toolset and infrastructure.

Initial Stage

The initial entry to the victim’s system involves brute-forcing the MS SQL server, utilizing it to explore the database, and using the xp_cmdshell configuration option to execute shell commands and gather information.

Next Stage

The subsequent phase involves efforts to disable the system firewall and establish persistence by connecting to a remote SMB share for file transfers between the victim’s system and installing malicious tools like Cobalt Strike.

Cobalt Strike process.

Final Stage

This sequence of events then sets the stage for the deployment of AnyDesk software, ultimately leading to the installation of FreeWorld ransomware with an intermediate lateral movement step. The unidentified attackers also made unsuccessful attempts to establish RDP persistence via Ngrok.

ngrok process, that could be exploited.

“The attack succeeded initially due to a brute force attack on an MS SQL server,” emphasized the researchers. “It’s crucial to stress the importance of robust passwords, especially for publicly exposed services.”

Do we have the past of FreeWorld?

“The tools include enumeration software, RAT payloads, exploitation and credential-stealing software, and finally, ransomware payloads.”

“The ransomware payload of choice appears to be a newer variant of Mimic ransomware called FreeWorld. The FreeWorld text was present in the binary file names and ransomware extensions.”

Mimic ransomware, with its multiple bundled capabilities, seems to implement a new approach to speeding up its routine by combining multiple running threads and abusing Everything’s APIs for its encryption.

Ransomware on rise

The year 2023 has witnessed a significant surge in ransomware attacks. Ransomware threat actors are evolving their extortion methods, including sharing specifics of their attack techniques to argue that victims aren’t eligible for cyber insurance compensation.

The right way to keep a guard on ransomware is the multi-layered approach in end-points. E-mail, web and network. Choose the right tools and correct approach. Being safe is the best!

author

Anas Hasan

date

September 4, 2023

time

2 years ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025
A Single Password Breach Shut Down a 158 Year Old Business

A Single Password Breach Shut Down a 158 Year Old Business
Posted on October 7, 2025
Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely

Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely
Posted on September 5, 2025

Have Your Say!!