Vulnerable Microsoft SQL servers are being targeted by brute-force attacks distributing Trigona ransomware payloads, BleepingComputer reports.
Attackers have been infecting compromised servers with the CLR Shell malware, which has system data harvesting, account configuration modifying, and privilege escalation capabilities, in the initial stage of the attack before proceeding to the installation and execution of a dropper that would launch Trigona ransomware, a report from AhnLab showed.
Researchers also found that system recovery is being prevented by CLR Shell, which also erases Windows Volume Shadow copies to hinder recovery without a decryption key.
Meanwhile, attackers have also been found to modify ransomware binary configurations to permit automated launches upon system restarts.
Trigona ransomware, which was initially identified last October, has been known to encrypt all files except those in the Windows and Program Files directories, with such files being appended with the "._locked" extension.
At least 190 submissions to the ID Ransomware platform since January have been attributed to the ransomware operation.