“Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. MS-SQL servers are database management systems holding data for internet services and apps. Disrupting them can cause severe business trouble. BleepingComputer has reported similar attacks in February, dropping Cobalt Strike beacons, and in July when threat actors hijacked vulnerable MS-SQL servers to steal bandwidth for proxy services. The latest wave is more catastrophic, aiming for a quick and easy profit by blackmailing database owners."
The latest campaign was uncovered by security researchers at AhnLab Security Emergency Response Center (ASEC). Recently, there has been a spike in attacks leveraging FARGO ransomware, a malware strain notable for targeting MS-SQL servers. According to ID Ransomware, a platform that identifies ransomware based on the ransom note/encrypted file submitted, approximately 103 samples submitted within the last month have been identified as FARGO ransomware.
Upon closer examination, FARGO seems to be the same strain dubbed “TargetCompany” that AVAST researchers released a free decryption tool for in February. As such, it is possible that files encrypted by FARGO can be decrypted for free.
The infection chain starts off with the MS-SQL process on the compromised machine downloading a .NET file via cmd[.]exe and powershell[.]exe, which fetches and loads additional malware, including the locker. The loaded malware generates and executes a BAT file that terminates certain processes and services in the %temp% directory. From here, the ransomware payload is then injected into “AppLaunch[.]exe, a legitimate Windows process. Prior to initiating encryption, FARGO ransomware will execute a recovery deactivation command and terminate database-related processes such as sqlserv[.]exe and sqlwriter[.]exe.
In order to prevent the targeted system from being completely unusable, FARGO avoids encrypting certain software and directories including boot files, Tor Browser, Internet Explorer, user customizations and settings, and the debug log file.
Encrypted files are appended with the .Fargo3 extension. Once the encryption process is complete, the ransomware will generate a note called (RECOVERY FILES.txt) that provides victims instructions on how to recover their files. According to researchers, the threat actors are threatening victims that they will leak the stolen files on Telegram if the ransom is not paid.
Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks on systems where account credentials are poorly being managed. And there may be vulnerability attacks on systems that do not have a vulnerability patch applied. Administrators of MS-SQL servers should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks.
When implementing SQL servers in production environments, organizations may also want to consider the following:
- Run Routine Security Audits
- Have a Strong Password Policy
- Deploy and Test SQL Server Updates
- Use a Firewall
- Use Encryption
- Avoid Installing Non-Essential Software
- Use a SQL Monitoring Tool
- Use a Data Access Controller
Photo by Nao Triponez.