Vulnerable Microsoft SQL servers are currently being targeted by threat actors and infected with FARGO ransomware (also known as Mallox and TargetCompany). Microsoft’s SQL servers hold data for internet services and apps. A disruption to these databases by FARGO could cause severe issues for businesses.
In February 2022, the threat actors behind FARGO attacks dropped Cobalt Strike beacons, and by July 2022, they were hijacking vulnerable Microsoft SQL servers to steal bandwidth for their own proxy services. The latest FARGO attacks blackmail database owners into paying the demanded ransom. If the owners refuse to pay the ransom, the threat actors threaten to expose their stolen files on Telegram.
FARGO is one of the most popular ransomware strains that focuses on Microsoft SQL servers. The ransomware infection starts by using powershell.exe and cmd.exe to download a .NET file to a compromised machine. After the payload fetches additional malware, a .BAT file terminates certain processes and services. To ensure that businesses can’t recover their data, FARGO executes the recovery deactivation command and kills processes prior to initiating encryption.
Once encryption is complete, FARGO renames locked files using the “.Fargo3” extension and generates a ransom note titled “RECOVERY FILES.txt.” The threat actors expect the demanded ransom to be paid in Bitcoin. Database servers are often compromised via brute-force, and if a threat actor is able to use brute-force in their attack, it’s likely due to their target having weak credentials. The threat actor may also try to attack a database server by exploiting well-known and unpatched vulnerabilities. It’s important that organizations keep their devices updated with the latest security patches and maintain strong passwords.
INDICATOR'S OF COMPROMISE (IOCS):
MD5 Hashes
Downloader
SHA-1
SHA-256
Vhash
Imphash
FARGO Ransomware Targets Vulnerable Microsoft SQL Servers (socradar.io)
Microsoft SQL servers hacked in TargetCompany ransomware attacks (bleepingcomputer.com)
Microsoft SQL servers subjected to new FARGO ransomware attacks | SC Media (scmagazine.com)
FARGO ransomware targets vulnerable Microsoft SQL servers in new wave of attacks | IT PRO
Related Reading: CaddyWiper Malware vs. RURansom Wiper (The Cyber War Continues)
Contact us for more information about Avertium’s managed security service capabilities.