Freeworld

Description

FreeWorld is a ransomware variant first observed in September 2023, and is believed to be derived from the Mimic ransomware family. It is deployed through coordinated campaigns dubbed DB#JAMMER, which exploit poorly secured Microsoft SQL (MSSQL) servers exposed to the internet. Attackers gain initial access via brute force, leverage the xp_cmdshell feature to execute shell commands, disable defenses, deploy remote access tools like Cobalt Strike and AnyDesk, and eventually deliver the FreeWorld payload. The ransomware encrypts files using hybrid encryption and appends the .FreeWorldEncryption extension. Victims receive a ransom note titled FreeWorld-Contact.txt, directing them on payment and data recovery steps.

External Analysis
https://www.broadcom.com/support/security-center/protection-bulletin/freeworld-ransomware
https://thehackernews.com/2023/09/threat-actors-targeting-microsoft-sql.html
https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/
https://www.darkreading.com/cyberattacks-data-breaches/mssql-databases-under-fire-from-freeworld-ransomware
https://www.pcrisk.com/removal-guides/27581-freeworld-ransomware
Urls
Screen
File servers
Screen
Chat servers
Screen
Admin servers
Screen