FARGO Ransomware Attacks MS-SQL Servers To Encrypt Internet Services

Cybersecurity experts at the ASEC (AhnLab Security Emergency Response Center) analysis team have recently warned that Microsoft SQL servers that are vulnerable to attacks have been targeted by the ransomware called FARGO in a new wave of attacks.

An MS-SQL server is a system that is used for storing and managing data related to internet services and applications. In the event that they are disrupted, it can have severe consequences for businesses.

It seems that the new wave of attacks is more devastating, aiming to prey on database owners and lock them out of their databases to make a quick profit.

FARGO Ransomware

Among the popular ransomware programs like GlobeImposter, the FARGO ransomware is also most well-known for targeting the Microsoft SQL Server databases that are vulnerable. This ransomware has also been known as Mallox in the past, due to the fact that it has the .mallox file extension.

EHA

In February of this year, Avast researchers highlighted that some files encrypted by this virus might be recoverable for free in some cases, pointing out that it was the same strain that was named “TargetCompany.”

A significant number of FARGO file-encrypting malware attacks have been reported on the ID Ransomware platform, it implies that the ransomware is still active.

Infection Chain

MS-SQL downloads a file based on .Net into the system through the use of cmd[.]exe and powershell[.]exe through its processes.

Using this method, additional malware will be downloaded and loaded from a specific location.

A BAT file is generated by the malware that has been loaded and executed in the %temp% directory, by which certain processes and services can be shut down.

The behavior of the ransomware begins with its infiltration into AppLaunch[.]exe, which is a standard program in Windows. Following this, the recovery deactivation command is executed, and a registry key on a specific path is attempted to be deleted, as well as certain processes are closed.

Ransom Note

As soon as the encryption process is completed, the locked files are renamed with the extension “.Fargo3” which is added by the unit itself. Afterwards, the ransom note is generated by the malware.

In order to pay for the ransom, the threat actor threatens the victims that they will leak their stolen files on their Telegram channel if they do not pay the ransom demanded.

In systems where account credentials are poorly managed, brute force attacks and dictionary attacks are typical types of attacks that target database servers. 

A cybercriminal may also try to exploit known vulnerabilities that have not been patched by the target, as an alternative to the previous method.

Recommendations

Here below we have mentioned all the recommendations:-

  • Always use strong and unique passwords.
  • Make sure to keep the machine up-to-date.
  • Periodically change the passwords.
  • Always update to the latest patch.

CyberSecurity with Zero Trust Networking – Download Free E-Book

BALAJI is a Former Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.