Researchers identified attacks targeting Microsoft SQL (MSSQL) servers to encrypt the victims' files with Mimic (N3ww4v3) ransomware. The attacks are tracked as RE#TURGENCE and have been observed targeting Europe, the United States, and Latin America.
Threat actors targeted publicly exposed MSSQL database servers through brute force attacks. They exploited the disabled xp_cmdshell procedure to gain a command shell with SQL Server service account privileges. Using Cobalt Strike payloads via PowerShell scripts and in-memory reflection techniques, they aimed to inject these into the Windows-native process SndVol.exe.
Additionally, the attackers downloaded AnyDesk and extracted clear text credentials using Mimikatz. They expanded their intrusion within the network by scanning with Advanced Port Scanner, compromising other devices, and eventually the domain controller. They deployed Mimic ransomware via AnyDesk, leveraging the Everything app to identify files for encryption. The ransomware completed its encryption process, displaying a payment notice saved as '—IMPORTANT—NOTICE—.txt' on the victim's C:\ drive.
The email address datenklause0@gmail[.]com in the ransom note links the threat group to Phobos ransomware attacks, which originated from the Crysis ransomware family in 2018.