Flash Notices

Flash Notice: FARGO Ransomware Attacking Microsoft SQL Servers

Written by Marketing | Sep 28, 2022 2:27:31 PM

Overview 

Vulnerable Microsoft SQL servers are currently being targeted by threat actors and infected with FARGO ransomware (also known as Mallox and TargetCompany). Microsoft’s SQL servers hold data for internet services and apps. A disruption  to these databases by FARGO could cause severe issues for businesses.  

In February 2022, the threat actors behind FARGO attacks dropped Cobalt Strike beacons, and by July 2022, they were hijacking vulnerable Microsoft SQL servers to steal bandwidth for their own proxy services. The latest FARGO attacks blackmail database owners into paying the demanded ransom. If the owners refuse to pay the ransom, the threat actors threaten to expose their stolen files on Telegram.  

FARGO is one of the most popular ransomware strains that focuses on Microsoft SQL servers. The ransomware infection starts by using powershell.exe and cmd.exe to download a .NET file to a compromised machine. After the payload fetches additional malware, a .BAT file terminates certain processes and services. To ensure that businesses can’t recover their data, FARGO executes the recovery deactivation command and kills processes prior to initiating encryption.   

Once encryption is complete, FARGO renames locked files using the “.Fargo3” extension and generates a ransom note titled “RECOVERY FILES.txt.” The threat actors expect the demanded ransom to be paid in Bitcoin. Database servers are often compromised via brute-force, and if a threat actor is able to use brute-force in their attack, it’s likely due to their target having weak credentials. The threat actor may also try to attack a database server by exploiting well-known and unpatched vulnerabilities. It’s important that organizations keep their devices updated with the latest security patches and maintain strong passwords.  

 

 

How Avertium is Protecting Our Customers:

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. 
     
  • To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR services in your protection plan. We offer DFIR (Digital Forensics and Incident Response) to mitigate damage from a successful breach.   
  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 

 

 

Avertium's recommendations

  • To keep your cyber environment safe, apply security updates regularly. Not patching well-known vulnerabilities is one of the most common ways threat actors deploy ransomware.  
  • Organizations should remind their employees to use hard passwords that have not been re-used.  
  • Implementing MFA (multi-factor authentication) can help keep your organization secure.  





 INDICATOR'S OF COMPROMISE (IOCS):

MD5 Hashes 

  • d687eb9fea18e6836bd572b2d180b144 
  • b4fde4fb829dd69940a0368f44fca285 
  • c54daefe372efa4ee4b205502141d360 
  • 4d54af1bbf7357964db5d5be67523a7c 
  • 41bcad545aaf08d4617c7241fe36267c 

Downloader 

  • hxxp://49.235.255[.]219:8080/Pruloh_Matsifkq[.]png 

SHA-1 

  • 0e7f076d59ab24ab04200415cb35037c619d0bae 

SHA-256 

  • 863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1 

Vhash 

  • 015056655d155510f8z73hz2075zabz 

Imphash 

  • c8318053dac1b12c686403fde752954c 



 

Supporting documentation

FARGO Ransomware Targets Vulnerable Microsoft SQL Servers (socradar.io) 

Microsoft SQL servers hacked in TargetCompany ransomware attacks (bleepingcomputer.com) 

Microsoft SQL servers subjected to new FARGO ransomware attacks | SC Media (scmagazine.com) 

FARGO ransomware targets vulnerable Microsoft SQL servers in new wave of attacks | IT PRO 

 

 

 

 

Related Reading: CaddyWiper Malware vs. RURansom Wiper (The Cyber War Continues)

Contact us for more information about Avertium’s managed security service capabilities.