Hackers target Microsoft SQL servers with FARGO ransomware
Microsoft SQL servers are being targeted with FARGO ransomware according to AhbLab Security Emergency Response Center (ASEC) researchers.
MS-SQL servers are considered database management systems that store data for internet services and apps.
FARGO is regarded as one of the most prominent ransomware tribes, which together with GlobeImposter concentrate on MS-SQL servers, and it has been called in the past as “Mallox,” because it used to append the “.mallox” extension to the encrypted file.
During the infection and execution of FARGO, the researchers determined that the ransomware infection begins with the MS-SQL process on the compromised computer, which downloads a .NET file using cmd.exe and powershell.exe. The payload then fetches additional malware, including the locker, and generates and executes a BAT file, which terminates specific processes and services.
After that, the ransomware payload injects itself into AppLaunch.exe, a legitimate Windows process. It tries to delete the registry key for the open source ransomware “vaccine” named Raccine. The malware executes the recovery deactivation command and terminates database-related processes, to make their contents available for encryption.
The FARGO ransomware strain excludes some software and directories from the encryption. The aim of this measure is to prevent the compromised system from becoming completely unusable. Excluded from the encryption are several Microsoft Windows system directories, the boot files, Tor Browser, Internet Explorer, user customizations and settings, the debug log file or the thumbnail database.
Once the encryption process is complete, the locked files are renamed with the “.Fargo3” extension, and the malware generates the ransom note (“RECOVERY FILES.txt”).
As a security measure, it is now important for MS SQL server administrators to ensure that they use strong and unique passwords to protect their systems, it is important that they keep the servers up to date by installing the latest fixes for security vulnerabilities.
The sources for this piece include an article in BleepingComputer.