Excerpt from BleepingComputer Article – Published on Jan 09, 2024
In a concerning development, hackers are focusing their efforts on Microsoft SQL servers, unleashing a new wave of ransomware attacks using the notorious Mimic malware. This sophisticated attack involves deploying Mimic ransomware payloads through self-extracting archives via the remote desktop software AnyDesk. The attackers utilize a legitimate application, the Everything app, to search for files to encrypt—a technique initially observed in January 2023.
Security firm Securonix revealed that the Mimic ransomware drops Everything binaries, enhancing the encryption process. The dropper, identified as’red25.exe,’ efficiently places all necessary files for the main ransomware payload to execute its objectives. Upon completion of the encryption process, the’red.exe’ process triggers the execution of an encryption/payment notice, which is saved as ‘—IMPORTANT—NOTICE—.txt’ on the victim’s C:\ drive.
BleepingComputer uncovered that the email address provided in the ransom note (datenklause0@gmail.com) establishes a connection to the Phobos ransomware group. Phobos, emerging in 2018, is a ransomware-as-a-service derived from the Crysis ransomware family.
This incident is a replication of a previous campaign (DB#JAMMER) that Securonix exposed last year, which used the same brute force initial access attack vector to target MSSQL servers. In that instance, the attackers deployed FreeWorld ransomware, another alias for the infamous Mimic ransomware.
The evolving tactics of these threat actors highlight the persistent and adaptive nature of cyber threats. Organizations are urged to reinforce their cybersecurity measures, including robust access controls and continuous monitoring, to thwart such malicious campaigns targeting critical infrastructure.
To delve deeper into this topic, please read the full article in the BleepingComputer