Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files.
The MS-SQL servers are being breached via brute-force or dictionary attacks that take advantage of easy-to-guess account credentials.
After connecting to a server, the threat actors deploy malware dubbed CLR Shell by security researchers from South Korean cybersecurity firm AhnLab who spotted the attacks.
This malware is used for harvesting system information, altering the compromised account’s configuration, and escalating privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service (which will be required to launch the ransomware as a service).
“CLR Shell is a type of CLR assembly malware that receives commands from threat actors and performs malicious behaviors, similarly to the WebShells of web servers,” AhnLab says.
In the next stage, the attackers install and launch a dropper malware as the svcservice.exe service, which they use to launch the Trigona ransomware as svchost.exe.
They also configure the ransomware binary to automatically launch on each system restart via a Windows autorun key to ensure the systems will be encrypted even after a reboot.
Before encrypting the system and deploying ransom notes, the malware disables system recovery and deletes any Windows Volume Shadow copies, making recovery impossible without the decryption key.
First spotted in October 2022 by MalwareHunterTeam and analyzed by BleepingComputer, the Trigona ransomware operation is known for only accepting ransom payments in Monero cryptocurrency from victims worldwide.
Trigona encrypts all files on victims’ devices except those in specific folders, including the Windows and Program Files directories. Before encryption, the gang also claims to steal sensitive documents that will get added to its dark web leak site.
Additionally, the ransomware renames encrypted files by adding the ._locked extension and embeds the encrypted decryption key, the campaign ID, and the victim ID (company name) in every locked file.
It also creates ransom notes named “how_to_decrypt.hta” in each folder with information about the attack, a link to the Trigona Tor negotiation website, and a link that contains the authorization key needed to log into the negotiation site.
The Trigona ransomware gang has been behind a constant stream of attacks, with at least 190 submissions to the ID Ransomware platform since the start of the year.