A cyberattack campaign has been discovered compromising exposed Microsoft SQL Server (MSSQL) databases, using brute-force attacks to deliver ransomware and Cobalt Strike payloads.
According to an investigation by Securonix, the typical attack sequence observed for this campaign begins with brute forcing access into the exposed MSSQL databases. After initial infiltration, the attackers expand their foothold within the target system and use MSSQL as a beachhead to launch several different payloads, including remote-access Trojans (RATs) and a new Mimic ransomware variant called "FreeWorld," named for the inclusion of the word "FreeWorld" in the binary file names, a ransom instruction file named FreeWorld-Contact.txt, and the ransomware extension, which is ".FreeWorldEncryption."
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
