FREEWORLDfreeworld

FreeWorld is a ransomware variant first observed in September 2023, and is believed to be derived from the Mimic ransomware family. It is deployed through coordinated campaigns dubbed DB#JAMMER, which exploit poorly secured Microsoft SQL (MSSQL) servers exposed to the internet. Attackers gain initial access via brute force, leverage the xp_cmdshell feature to execute shell commands, disable defenses, deploy remote access tools like Cobalt Strike and AnyDesk, and eventually deliver the FreeWorld payload. The ransomware encrypts files using hybrid encryption and appends the .FreeWorldEncryption extension. Victims receive a ransom note titled FreeWorld-Contact.txt, directing them on payment and data recovery steps.