Hackers are actively exploiting vulnerabilities in MS-SQL servers to deploy the Malloz ransomware, posing significant risks to organizations’ data security. Weak passwords, unpatched systems, and misconfigurations make MS-SQL servers attractive targets for cybercriminals utilizing automated scanning and exploitation tools. Recent findings by cybersecurity researchers at Sekoi reveal the swift compromise of an MS-SQL honeypot, with attackers leveraging brute-force attacks on the weak “sa” account to deploy Malloz ransomware using PureCrypter.
Technical analysis of the incidents exposes sophisticated exploitation tactics employed by cybercriminals, including the deployment of payloads corresponding to PureCrypter and the execution of the Malloz ransomware from its resources. Malloz, known for its double extortion technique, has become one of the most distributed ransomware families, targeting victims across various industries worldwide. The ransomware operators, likely former tier ransomware group members, transitioned to a RaaS model and recruit affiliates to carry out attacks, leveraging vulnerabilities in MS-SQL servers and phishing for initial access.
Despite claims to avoid attacking Eastern Europe, Malloz has heavily impacted Asian victims in sectors such as manufacturing and retail. The ransomware operators have adopted triple extortion strategies, further escalating the severity of attacks. Analysis reveals the exploitation of MS-SQL vulnerabilities by individuals associated with Malloz during the initial compromise, underscoring the critical need for organizations to fortify their MS-SQL server defenses and implement robust cybersecurity measures to mitigate the evolving threats posed by ransomware attacks.
