Organizations are being warned of a wave of attacks centered on Microsoft SQL Server using ransomware called Fargo to encrypt recorded data and threaten victims that their information could be leaked online if they don’t pay.
Analysts at AhnLab Security Emergency Response Center (ASEC) posted the warning in a blog, noting that Fargo is without a doubt one of the most well-known ransomware, focusing on weak SQL Server situations, and was formerly commonly known as Mallox as a result of it The use of the .mallox file extension to encrypt information used an earlier wave of attacks.
Based on ASEC, the Fargo attack started by using SQL Server courses on infected laptops to obtain .web files via cmd.exe and powershell.exe consoles. This payload retrieves and executes additional malware code, generates and executes a .bat file, and then shuts down some processes and providers.
The next steps in the attack were to inject .web code into AppLaunch.exe and then attempt to delete the registry keys for Raccine, an open source software designed to provide some security against ransomware attacks.
Fargo runs the restore disable command and uses vssadmin to delete all shadow copies (which means stopping raccine), then shuts down various database related processes to make the contents of the database record data accessible for encryption.
If profitable, it appends “.Fargo3” to the filename of the encrypted recorded data and generates a ransom note with the filename “RECOVERY FILES.txt”. This tells victims an easy way to contact the attackers to pay the ransom, threatening: “If the ransom is not paid, your information may also be released.”
However, how did the attackers get into the SQL Server environment to deploy the ransomware? Based on ASEC, this often takes the form of brute force and dictionary attacks where account credentials are poorly managed. Attacks may also be aimed at exploiting programs that have not yet been fully patched and are subsequently weak to recognized vulnerabilities.
The ASEC blog recommends that a SQL Server executive should use strong passwords for his or her accounts that are hard to guess and change to protect database servers from brute force and dictionary attacks, something every IT technician values his identity to do. It also offers the same old advice that companies should apply security patches to protect against attacks that use well-known vulnerabilities.
According to a Verizon report released earlier this year, ransomware risk remains one of the many high security concerns companies face, accounting for 25 percent of detected security incidents and occurring in 70 percent of all malware infections. ®
SQL Server admins warned to beware of Fargo ransomware The Register