Threat Intelligence Blog
Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.
Black Arrow Cyber Advisory 30/09/2022 – Microsoft SQL Servers Targeted by FARGO Ransomware
Black Arrow Cyber Advisory 30/09/2022 – Microsoft SQL Servers Targeted by FARGO Ransomware
Executive Summary
Unsecured Microsoft SQL servers have been identified as the target for FARGO Ransomware (aka Mallox, aka TargetCompany). This ransomware strain attempts to shut down various processes and services on affected machines before encrypting the data and supplying a ransom note, which contains a warning that data may be published on the public domain if payment is not received.
What’s the risk to me or my business?
At current the threat actors appear to be targeting vulnerable Microsoft SQL servers and gain initial access through either credential brute forcing or through known vulnerabilities that have not been patched. If the threat actor gains access to this server and successfully delivers the ransomware, then data could be encrypted and published on the public domain.
What can I do?
Ensure that leading practices are followed for securing Microsoft SQL servers, including both timely patching of security vulnerabilities when made available, and ensuring that server administrator accounts are protected with strong passwords and multi-factor authentication where available.
Technical Summary
The attack unfolds by first a threat actor having initial access to the MS-SQL process, allowing them to execute a .net file through either CMD or Powershell. This file downloads additional malware, which then generates a .BAT file that shuts down certain processes and services. The ransomware is then injected into AppLaunch.exe, which is a normal windows program. It attempts to delete a registry key, executes recovery deactivation and closes some additional processes including the MS-SQL server. This allows access to the database offline, which allows for the files to be encrypted with the .FARGO3 extension. A ransomware note named ‘RECOVERY FILES.TXT’ is then generated, detailing payment, with a warning that data will be published on the public domain if the payment is not received.
Further information on this ransomware strain is available here, including Indicators of Compromise: FARGO Ransomware (Mallox) Being Distributed to Unsecured MS-SQL Servers - ASEC BLOG (ahnlab.com)
Need help understanding your gaps, or just want some advice? Get in touch with us.