Turkish hackers targeting database servers with Mimic ransomware

Siva Ramakrishnan
Turkish hackers are targeting databases in the United States, European Union and Latin America with the Mimic ransomware, according to new research from cybersecurity company Securonix.

Turkish hackers are targeting databases in the United States, European Union and Latin America with the Mimic ransomware, according to new research from cybersecurity company Securonix.

Oleg Kolesnikov, vice president of threat research, told Recorded Future News that what stood out most about the campaign was that the hackers customized their attacks for each victim far more than what they typically see.

“From our latest observations, this appears to be a financially-motivated, ongoing campaign,” Kolesnikov said. “The attackers appear to use a more targeted approach in terms of obtaining initial access compared to some of the other malicious threat actors using exploits, commodity malware payloads etc.”

Securonix, which named the campaign “RE#TURGENCE,” said the hackers either sell the access they obtain or deploy ransomware on the compromised host.

The researchers discovered the campaign after the attackers made a mistake revealing significant parts of their communications, negotiations and more.

The hackers are specifically going after Microsoft SQL (MSSQL) — a popular software product that helps users store and retrieve data requested by applications. Microsoft’s version is one of several database managers that uses SQL, short for structured query language.

Once they gain access, they try to map out the victim’s system and damage cyber defenses to establish their persistence. They typically spend about one month in a victim system before deploying the Mimic ransomware.

The researchers noted that the initial access tactics used in the campaign resemble another campaign they discovered last year that also involved the Mimic ransomware. Like that campaign, the hackers gain access to exposed Microsoft SQL databases through brute forcing — a hacking method that uses trial and error to crack passwords.

Mimic was spotlighted earlier this year by researchers at TrendMicro after first being seen in the wild in June 2022.

It targets Russian- and English-speaking users, and TrendMicro said there are indicators tying it to the Conti ransomware builder that was leaked last year.

In one instance, the hackers moved laterally to two other machines after gaining initial access. They eventually downloaded the ransomware payload, which is able to query and locate specific files that the hackers want encrypted.

Securonix warned that companies should “always refrain from exposing critical servers directly to the internet.”

“With the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network,” they said. “We recommend providing access to these resources behind a much more secure infrastructure such as a VPN.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Nigerian national who laundered funds from romance and BEC scams gets 10-year sentence

Next Post

UK politician criticizes X (formerly Twitter) after account hijacked by crypto scam

Related Posts

New Rust-based Fickle Malware Uses PowerShell for UAC Bypass and Data Exfiltration

A new Rust-based information stealer malware called Fickle Stealer has been observed being delivered via multiple attack chains with the goal of harvesting sensitive information from compromised hosts. Fortinet FortiGuard Labs said it's aware of four different distribution methods -- namely VBA dropper, VBA downloader, link downloader, and executable downloader -- with some of them using a
Read More

Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator

The U.K. National Crime Agency (NCA) has unmasked the administrator and developer of the LockBit ransomware operation, revealing it to be a 31-year-old Russian national named Dmitry Yuryevich Khoroshev. In addition, Khoroshev has been sanctioned by the U.K. Foreign, Commonwealth and Development Office (FCD), the U.S. Department of the Treasury’s Office of Foreign Assets Control (
Siva Ramakrishnan
Read More