Vulnerable Microsoft SQL servers are being targeted by brute-force attacks distributing Trigona ransomware payloads, BleepingComputer reports.
Attackers have been infecting compromised servers with the CLR Shell malware, which has system data harvesting, account configuration modifying, and privilege escalation capabilities, in the initial stage of the attack before proceeding to the installation and execution of a dropper that would launch Trigona ransomware, a report from AhnLab showed.
Researchers also found that system recovery is being prevented by CLR Shell, which also erases Windows Volume Shadow copies to hinder recovery without a decryption key.
Meanwhile, attackers have also been found to modify ransomware binary configurations to permit automated launches upon system restarts.
Trigona ransomware, which was initially identified last October, has been known to encrypt all files except those in the Windows and Program Files directories, with such files being appended with the "._locked" extension.
At least 190 submissions to the ID Ransomware platform since January have been attributed to the ransomware operation.
Ransomware, Threat Management
Microsoft SQL servers subjected to Trigona ransomware attacks
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds