A report from the security analysis team of AhnLab Security Emergency Response Center (ASEC) has revealed today a new cybercriminal activity distributing FARGO ransomware that targets vulnerable Microsoft SQL servers. This inflicting issues on it can mean big problems for businesses.
According to ASEC, the infection comes when the MS-SQL process downloads a .NET file through cmd.exe and powershell.exe. This file then downloads and loads additional malware, resulting in generating and executing a BAT file that ends specific processes and services.
According to ASEC, the malware infects AppLaunch.exe, a typical Windows software, to start acting maliciously. Additionally, it runs the recovery deactivation command, attempts to delete a registry key on a certain path, and ends some processes.
ASEC researchers further noted that the ransomware encrypts files but leaves out parts of them, such as directories and extensions, to keep some portions of the system accessible. The distinctive feature is that it excludes files with a file extension connected to Globeimposter. According to ASEC, this exclusion list contains not only the same sort of extensions used by FARGO, FARGO 2, and FARGO 3 but also FARGO 4, which is believed to be a future version of the ransomware.
The ransom letter generated by the ransomware will then emerge with the file name “RECOVERY FILES.txt,” and the crooks will rename the encrypted files using the FARGO 3 extension. If the victims attempt to repair the issue on their own using third-party software, they will notice threats in the warning that their system’s file will be permanently erased. Cybercriminals also threaten to release the information into the public domain if the victims decline to pay the ransom.
In addition to unpatched vulnerabilities, ASEC noted that weak account credentials frequently make database servers like MS-SQL and MySQL servers the subject of brute force and dictionary assaults. The analysis team concluded that it might be avoided by resolving the problems and taking extra precautions to protect passwords.
Accordingly, ASEC finally suggested that to protect the database server from brute force attacks and dictionary attacks, MS-SQL servers administrators should use challenging passwords to guess for their accounts and change them regularly. They should also update to the most recent patch to fend off vulnerability attacks.