Cybersecurity experts have spotted a new hacking campaign taking advantage of poorly secured MS-SQL servers to deliver the Trigona ransomware (opens in new tab).
Researchers from South Korean firm AhnLab observed the threat actors scanning for internet-exposed Microsoft SQL servers and then trying to access them either via brute-force or dictionary attacks. These attacks work if the servers have simple, easy-to-guess passwords, and by automating the login process, the hackers can breach numerous servers with ease.
Once they gain access to the endpoint, the attackers will first install a piece of malware the researchers named CLR Shell. This malware picks up system information, changes the compromised account’s configuration, and escalates privileges to LocalSystem through a vulnerability in the Windows Secondary Logon Service.
Deleting backups
“CLR Shell is a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers,” the researchers said.
The next step is to use the svcservice.exe malware dropper to deploy the Trigona ransomware. In this step, all files on the device are encrypted, and a ransom note is left, instructing the victims on how to reach out to the attackers and negotiate the release of a decryption key. The researchers also said that Trigona disables system recovery and deletes any Windows Volume Shadow copies, to prevent the victims from recovering their systems via backup.
While businesses might be tempted to pay the ransom, thinking that would be the simplest and cheapest way to address the problem, general consensus is that they should refrain from giving in to criminal demands. Recent data from Rubrik Zero Labs has found that of all the organizations that suffered a ransomware attack and paid for the decryptor, just 16% actually managed to recover all of their data.
Paying the ransom also funds future criminal activity, which is yet another reason not to give in to the hackers’ demands.
Via: BleepingComputer (opens in new tab)
