Hackers are targeting exposed MS SQL servers with Mimic ransomware

Hackers are brute-forcing exposed MS SQL database servers to deliver Mimic ransomware, Securonix researchers are warning.

MS SQL Mimic ransomware

About Mimic ransomware

Mimic ransomware was first spotted in the wild in June 2022 and analyzed by Trend Micro researchers in January 2023.

It abuses the APIs of a Windows filename search engine called Everything to search for files to be encrypted or avoided, and has the ability to delete shadow copies, kill processes and services (e.g., Windows Defender, Windows telemetry), unmount virtual drives, activate anti-shutdown and anti-kill measures, and more. Encrypted files get the .QUIETPLACE file extension.

“From our analysis, some parts of the code seemed to be based on, and share several similarities with the Conti ransomware builder that was leaked in March 2022. For example, the enumeration of the encryption modes shares the same integer for both Mimic and Conti,” Trend Micro researchers said, and noted that MIMIC targets Russian and English-speaking users.

The campaign

In this recent campaign, hackers managed to access compromised MS SQL servers via brute force attacks. Once an admin account is compromised and they have access, they leverage the xp_cmdshell procedure to execute commands. Then they performed system enumeration, deployed a heavily obfuscated Cobalt Strike payload to execute additional code, as well as the AnyDesk remote access tool.

They gain persistence by creating a local user and adding it to the “administrators” group.

They proceeded to do system discovery, move laterally, and finally deployed the ransomware by using AnyDesk.

“The timeline for the events was about one month from initial access to the deployment of Mimic ransomware on the victim domain,” Securonix researchers noted.

The hackers appear to be financially motivated and have been targeting US, EU and LATAM countries.

“The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” the researchers concluded.

MS SQL servers under attack

This latest campaign is very similar to the one Securonix researchers spotted last year, in which also targeted MS SQL servers and delivered a variant of the Mimic ransomware.

In another campaign documented by researchers in early 2020, attackers leveraged poorly secured MS SQL servers to install Vollar and Monero cryptocurrency miners.

Don't miss