- FARGO ransomware is targeting vulnerable Microsoft SQL instances and attacks peaked between 16-18 September.
- According to the researchers, along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers.
- The encrypted file gets a file name of OriginalFileName.FileExtension.Fargo3 and the ransom note is generated with the filename ‘RECOVERY FILES.txt’.
Cybersecurity researchers pinpoint and warn organizations about a new wave of attacks. The ransomware known as FARGO is targeting vulnerable Microsoft SQL servers to encrypt files and demand ransom. Analysts at the AhnLab Security Emergency Response Center published a blog post and stated that it is the most prominent ransomware strain targeting SQL Server instances along with GlobeImposter.
The ransomware is using the .Fargo3 file extension for the encrypted files. According to the data from the ID Ransomware platform, FARGO activity peaked between 16 to 18 September.
The attack starts with a SQL Server process to download a .net file by using cmd.exe and powershell.exe consoles. The payload runs additional codes to generate and execute a BAT file and shuts down some processes and services. The ransomware then injects .net code into AppLaunch.exe, which tries to delete the registry key for Raccine, which is a protection layer against ransomware attacks. The main purpose of Raccine is to prevent deleting shadow copies by using vssadmin.
Farco then executes the recovery deactivation command and deletes shadow copies before shutting down database-related processes. Once these processes are shut down, the content of the database becomes available for encryption. Finally, the ransomware encrypts the files and changes their filenames’ extension with .Fargo3 and generates a ransom note named “RECOVERY FILES.txt”. The ransom note includes information about how the victim can contact the attacks to be able to pay the ransom. The file also threatens the organizations to publish the database in the public domain. AhnLab Security Emergency Response Center said,
« Typical attacks that target database servers (MS-SQL, MySQL servers) include brute force attacks and dictionary attacks on systems where account credentials are poorly being managed. And there may be vulnerability attacks on systems that do not have a vulnerability patch applied.
Administrators of MS-SQL servers should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. »