Cybersecurity experts at the ASEC (AhnLab Security Emergency Response Center) analysis team have recently warned that Microsoft SQL servers that are vulnerable to attacks have been targeted by the ransomware called FARGO in a new wave of attacks.
An MS-SQL server is a system that is used for storing and managing data related to internet services and applications. In the event that they are disrupted, it can have severe consequences for businesses.
It seems that the new wave of attacks is more devastating, aiming to prey on database owners and lock them out of their databases to make a quick profit.
Among the popular ransomware programs like GlobeImposter, the FARGO ransomware is also most well-known for targeting the Microsoft SQL Server databases that are vulnerable. This ransomware has also been known as Mallox in the past, due to the fact that it has the .mallox file extension.
In February of this year, Avast researchers highlighted that some files encrypted by this virus might be recoverable for free in some cases, pointing out that it was the same strain that was named “TargetCompany.”
A significant number of FARGO file-encrypting malware attacks have been reported on the ID Ransomware platform, it implies that the ransomware is still active.
MS-SQL downloads a file based on .Net into the system through the use of cmd[.]exe and powershell[.]exe through its processes.
Using this method, additional malware will be downloaded and loaded from a specific location.
A BAT file is generated by the malware that has been loaded and executed in the %temp% directory, by which certain processes and services can be shut down.
The behavior of the ransomware begins with its infiltration into AppLaunch[.]exe, which is a standard program in Windows. Following this, the recovery deactivation command is executed, and a registry key on a specific path is attempted to be deleted, as well as certain processes are closed.
As soon as the encryption process is completed, the locked files are renamed with the extension “.Fargo3” which is added by the unit itself. Afterwards, the ransom note is generated by the malware.
In order to pay for the ransom, the threat actor threatens the victims that they will leak their stolen files on their Telegram channel if they do not pay the ransom demanded.
In systems where account credentials are poorly managed, brute force attacks and dictionary attacks are typical types of attacks that target database servers.
A cybercriminal may also try to exploit known vulnerabilities that have not been patched by the target, as an alternative to the previous method.
Recommendations
Here below we have mentioned all the recommendations:-
CyberSecurity with Zero Trust Networking – Download Free E-Book
Two new vulnerabilities have been discovered in Next.js, related to response queue poisoning and SSRF…
British Columbia's government has confirmed a sophisticated attempt to infiltrate its information systems. Premier David…
Security researchers have uncovered a new technique called "TunnelVision" that exposes a fundamental flaw in…
A sophisticated malware campaign has been identified, specifically targeting Windows and Microsoft Office users through…
Hackers take advantage of sponsored Google Ads as they provide an excellent chance to reach…
F5 Big IP has been discovered with two critical vulnerabilities that could potentially allow a…