SQL Server admins warned about Fargo ransomware
From a city in North Dakota with a crime problem to file-scrambling nasty
Organizations are being warned about a wave of attacks targeting Microsoft SQL Server with ransomware known as Fargo, which encrypts files and threatens victims that their data may be published online if they do not pay up.
The warning comes in a blog posting from analysts at the AhnLab Security Emergency Response Center (ASEC), which says that Fargo is one of the most prominent ransomware strains targeting vulnerable SQL Server instances, and was previously also known as Mallox because it used the file extension .mallox for encrypted files in an earlier wave of attacks.
According to ASEC, a Fargo attack starts with the SQL Server process on a compromised machine being used to download a .net file via the cmd.exe and powershell.exe consoles. This payload fetches and runs additional malware code which generates and executes a BAT file that then shuts down some processes and services.
The next step in the attack is to inject .net code into AppLaunch.exe, which then attempts to delete the registry key for Raccine, an open source tool designed to provide some protection against ransomware attacks.
Fargo proceeds to execute the recovery deactivation command, and deletes all shadow copies using vssadmin (which is what Raccine is supposed to prevent), before shutting down various database-related processes to make the content of database files available for encryption.
If successful, the encrypted files have their filename appended with ".Fargo3" and a ransom note is generated with the filename "RECOVERY FILES.txt". The latter informs the victim how to contact the attackers in order to pay the ransom, and threatens: "In case of non-payment of the ransom, your data may be published on the public domain."
- Noberus ransomware gets info-stealing upgrades, targets Veeam backup software
- ChromeLoader, what took you so long? Malvertising irritant now slings ransomware
- Been hit by LockerGoga ransomware? A free fix is now out
- Ransomware gang threatens 1m-plus medical record leak
But how are the attackers getting access to SQL Server instances to deploy the ransomware in the first place? According to ASEC, this will typically take the form of brute force attacks and dictionary attacks on systems where account credentials are being poorly managed. Attacks may also seek to exploit systems that have not been fully patched and may thus be vulnerable to known exploits.
The ASEC blog offers the advice that SQL Server admins should use strong passwords that are difficult to guess for their accounts, and change them periodically to protect the database server from brute force attacks and dictionary attacks, which any IT pro worth their name will have been doing already. It also offers the usual recommendation that organizations should apply security patches to guard against exploits using known vulnerabilities.
The threat posed by ransomware remains one of the biggest security headaches for organizations, accounting for 25 percent of observed security incidents and present in 70 percent of all malware infections, according to a Verizon report published earlier this year. ®