ClickCease Hackers target Microsoft SQL servers with FARGO ransomware

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Hackers target Microsoft SQL servers with FARGO ransomware

Obanla Opeyemi

October 4, 2022 - TuxCare expert team

Microsoft SQL servers are being targeted with FARGO ransomware according to AhbLab Security Emergency Response Center (ASEC) researchers.

MS-SQL servers are considered database management systems that store data for internet services and apps.

FARGO is regarded as one of the most prominent ransomware tribes, which together with GlobeImposter concentrate on MS-SQL servers, and it has been called in the past as “Mallox,” because it used to append the “.mallox” extension to the encrypted file.

During the infection and execution of FARGO, the researchers determined that the ransomware infection begins with the MS-SQL process on the compromised computer, which downloads a .NET file using cmd.exe and powershell.exe. The payload then fetches additional malware, including the locker, and generates and executes a BAT file, which terminates specific processes and services.

After that, the ransomware payload injects itself into AppLaunch.exe, a legitimate Windows process. It tries to delete the registry key for the open source ransomware “vaccine” named Raccine. The malware executes the recovery deactivation command and terminates database-related processes, to make their contents available for encryption.

The FARGO ransomware strain excludes some software and directories from the encryption. The aim of this measure is to prevent the compromised system from becoming completely unusable. Excluded from the encryption are several Microsoft Windows system directories, the boot files, Tor Browser, Internet Explorer, user customizations and settings, the debug log file or the thumbnail database.

Once the encryption process is complete, the locked files are renamed with the “.Fargo3” extension, and the malware generates the ransom note (“RECOVERY FILES.txt”).

As a security measure, it is now important for MS SQL server administrators to ensure that they use strong and unique passwords to protect their systems, it is important that they keep the servers up to date by installing the latest fixes for security vulnerabilities.

The sources for this piece include an article in BleepingComputer.

Summary
Hackers target Microsoft SQL servers with FARGO ransomware
Article Name
Hackers target Microsoft SQL servers with FARGO ransomware
Description
Microsoft SQL servers are being targeted with FARGO ransomware according to AhbLab Security Emergency Response Center (ASEC) researchers.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023