Cybercriminals hit Microsoft SQL Server instances with ransomware

Cybercriminals hit Microsoft SQL Server instances with ransomware

FARGO ransomware, also known as Mallox and TargetCompany, disables database protections then encrypts records within

Cybercriminals are targeting vulnerable Microsoft SQL Server instances with FARGO ransomware in a new wave of attacks to extort money from victims, security researchers from the AhnLab Security Emergency Response Center (ASEC) have warned.

FARGO ransomware is a file-encrypting ransomware that prevents restricts access to data on a machine by encrypting files and adding the ".FARGO" extension.

Along with GlobeImposter, it is one of the best-known ransomware variants targeting SQL Server.

This malware family was referred to as "Mallox" in the past, as it used to add the ".mallox" extension to the files it encrypted.

Additionally, this strain is the same one that Avast researchers dubbed "TargetCompany" in a report in February.

FARGO ransomware looks for photos, videos and other sensitive files such as .doc, .docx, .xls, and .pdf on the victim's machine. The ransomware will encrypt these files and alter their extension to ".FARGO" when it finds them, rendering them inaccessible. It then asks its victims for a bitcoin ransom in return for a decryption key.

According to the ASEC researchers, the ransomware infection chain in most recent attacks begins with downloading of a .NET file by the MS-SQL process using powershell.exe and cmd.exe.

The .NET file then downloads additional malware (including the locker), before generating a BAT file that terminates certain processes and services on the system.

The malware then attempts to erase the registry entry for the open-source Raccine ransomware "vaccine" after injecting itself into AppLaunch.exe.

In order to make the contents of databases available for encryption, it also performs a recovery deactivation command and kills database-related processes.

However, it does not encrypt all programs and directories, leaving some Windows system directories, the boot files and Tor Browser, to prevent the machine from becoming fully inoperative.

Victims are told that if they do not pay the ransom, they risk having their stolen files posted on the ransomware operators' Telegram channel.

Experts say that dictionary and brute-force attacks are the most common ways that databases are breached. Additionally, attackers take advantage of known vulnerability that might not be patched.

To protect their database server from brute force attacks and dictionary attacks, administrators of MS-SQL servers are advised to use strong passwords and to change them on a regular basis. Admins should also update instances promptly to ensure the most recent vulnerabilities are patched.

In May, Microsoft researchers discovered a malicious campaign targeting MS-SQL Server by exploiting a built-in PowerShell utility to achieve persistence on compromised machines.

The cyber actors behind the campaign used brute force attacks for the initial breach and then weaponised the built-in sqlps.exe module to seize full control of the SQL Server instance.

In February, ASEC researchers warned that hackers were trying to deploy the Cobalt Strike adversary simulation tool on vulnerable internet-facing SQL Server instances in efforts to steal confidential information from compromised machines.