Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Microsoft SQL servers hacked in TargetCompany ransomware attacks

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning.

MS-SQL servers are database management systems holding data for internet services and apps. Disrupting them can cause severe business trouble.

BleepingComputer has reported similar attacks in February, dropping Cobalt Strike beacons, and in July when threat actors hijacked vulnerable MS-SQL servers to steal bandwidth for proxy services.

The latest wave is more catastrophic, aiming for a quick and easy profit by blackmailing database owners.

FARGO ransomware, a.k.a. TargetCompany

Security researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with GlobeImposter.

This malware family has been referred to as “Mallox” in the past because it used to append the “.mallox” extension to the files it encrypts.

Also, this strain is the same that Avast researchers named “TargetCompany” in a report in February, highlighting that files encrypted by it may be recovered for free in some cases.

Statistical data about ransomware attacks on the ID Ransomware platform indicate that the FARGO family of file-encrypting malware is quite active.

FARGO activity in the last 30 days
FARGO activity in the last 30 days (ID Ransomware)

Infection and execution

The researchers note that the ransomware infection starts with the MS-SQL process on the compromised machine downloading a .NET file using cmd.exe and powershell.exe.

The payload fetches additional malware (including the locker), generates and runs a BAT file that terminates specific processes and services.

Next, the ransomware payload injects itself into AppLaunch.exe, a legitimate Windows process, and tries to delete the registry key for the open-source ransomware “vaccine” called Raccine.

Additionally, the malware executes the recovery deactivation command and terminates database-related processes to make their contents available for encryption.

Processes killed by FARGO
Processes killed by FARGO prior to initiating encryption (ASEC)

The FARGO ransomware strain excludes some software and directories from encryption to prevent the attacked system from becoming completely unusable.

Exempt from encryption are several Microsoft Windows system directories, the boot files, Tor Browser, Internet Explorer, user customizations and settings, the debug log file, or the thumbnail database.

After the encryption completes, the locked files are renamed using the “.Fargo3” extension, and the malware generates the ransom note (“RECOVERY FILES.txt”).

FARGO ransom note
FARGO ransom note

Victims are being threatened with leaking the stolen files on the threat actor’s Telegram channel, unless they pay the ransom.

Database servers are often compromised through brute-force and dictionary attacks that are successful against accounts protected with weak credentials. Alternatively, cybercriminals try to exploit known vulnerabilities that the target has not patched.

The recommendation for MS-SQL server administrators is to make sure that they use strong enough and unique passwords. Additionally, keeping the machine up-to-date with the latest fixes for security vulnerabilities is advice that never goes out of fashion.

Advertisement. Scroll to continue reading.

Source: https://www.bleepingcomputer.com/news/security/microsoft-sql-servers-hacked-in-targetcompany-ransomware-attacks/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Cyber Security

A cybersecurity advisory issued Wednesday said that a major ransomware group had successfully exploited a previously unknown vulnerability in Progress Software’s MOVEit software. The...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO