FARGO ransomware infects servers with MS SQL

FARGO ransomware infects servers with MS SQL

The security researchers at AhnLab Security Emergency Response Center (ASEC) published a report about the recently discovered distribution of FARGO ransomware. This type of malware is well-known. Earlier it was also called Mallox because of its file extension - .mallox. The ransomware’s targets are Microsoft SQL servers. According to the data from the ID Ransomware, there were more than a hundred reported infection cases in the last 30 days.

The infection process starts when the MS-SQL process uses cmd.exe and powershell.exe to download a file created using .Net. Then it loads additional software, creates a .bat file, and terminates specific processes and services from the %temp% directory. Further actions include injection of the ransomware into AppLaunch.exe, removing the registry key of Raccine, an open-source ransomware protection solution, disabling recovery deactivation, and terminating the processes related to the database. Once that is done, the encryption process starts. 

The encrypted files are renamed and get the “.Fargo3” extension. Also, the malware creates the file “RECOVERY FILES.txt”, which contains the ransom note. It provides instructions on contacting the blackmailer and contains a threat that some of the data from the server may be published online.

Most likely, the servers are compromised using dictionary attacks, brute force, or known vulnerabilities. So, currently, the recommendations to prevent the infection include keeping the system up-to-date and using strong passwords.

Image Credit: Photo by Markus Spiske on Unsplash  

Reading next

80% of organizations encountered cloud security issues in the past year
Researchers warned about security flaws in Slack and Microsoft Teams

Interested in a specific business & technology topic and looking for an article in our blog but haven't found one yet?

If you haven't come across an article that matches your query, feel free to suggest the topic to us, and we'll consider featuring it in our blog. Share your suggestion in the form below, and we'll be sure to review your request.

Talk with us

If you have any questions or problems in your business that can be solved with technical solutions, just let us know. We'll do everything we can to help you.