The security researchers at AhnLab Security Emergency Response Center (ASEC) published a report about the recently discovered distribution of FARGO ransomware. This type of malware is well-known. Earlier it was also called Mallox because of its file extension - .mallox. The ransomware’s targets are Microsoft SQL servers. According to the data from the ID Ransomware, there were more than a hundred reported infection cases in the last 30 days.
The infection process starts when the MS-SQL process uses cmd.exe and powershell.exe to download a file created using .Net. Then it loads additional software, creates a .bat file, and terminates specific processes and services from the %temp% directory. Further actions include injection of the ransomware into AppLaunch.exe, removing the registry key of Raccine, an open-source ransomware protection solution, disabling recovery deactivation, and terminating the processes related to the database. Once that is done, the encryption process starts.
The encrypted files are renamed and get the “.Fargo3” extension. Also, the malware creates the file “RECOVERY FILES.txt”, which contains the ransom note. It provides instructions on contacting the blackmailer and contains a threat that some of the data from the server may be published online.
Most likely, the servers are compromised using dictionary attacks, brute force, or known vulnerabilities. So, currently, the recommendations to prevent the infection include keeping the system up-to-date and using strong passwords.
Image Credit: Photo by Markus Spiske on Unsplash