Microsoft SQL servers targeted by ransomware attacks (27th September 2022)

Ref# AL2022_63 | Date: Sep 27th 2022

Description  

Security researchers have warned that vulnerable Microsoft SQL servers are being targeted in a new wave of attacks by the FARGO ransomware.  

Summary 

Vulnerable Microsoft SQL (MS-SQL) servers are being attacked by the FARGO ransomware where sensitive information is encrypted and exfiltrated by threat actors to gain leverage on the victim. Microsoft SQL servers are essential database management systems holding data for internet services and apps. Disrupting and compromising them would be catastrophic to both owners and users of the system. 

The FARGO ransomware, also known as TargetCompany has recently became one of the most prominent ransomware strains to focus on MS-SQL servers. It was known as Mallox in the past as it is used to encrypt files with the file extension .mallox and the ransomware uses a combination of ChaCha20, AES-128 and Curve25519 algorithms for its encryption. The ransomware is typically spread through drive-by downloads, malicious attachments and links in spam emails, untrusted and suspicious freeware sites, online fraud, cracking tools and fake updates. 

The infection starts with the MS-SQL process on a compromised machine downloading a .NET payload using the cmd and PowerShell executables. The payload is responsible for fetching the ransomware and additional malware.  It generates a .BAT file to terminate certain processes and services on the compromised machine. The ransomware is then injected in the Windows process, AppLaunch.exe, where it then tries to delete registry keys, terminate other database processes and deactivate recovery mode. The FARGO ransomware would exclude some system directories and files so that the system is not completely unusable. Boot files, Tor browser, thumbnail database and some user settings are exempted by the ransomware. After encryption, the files are locked with the extension .Fargo3 and the ransom note is generated. Victims are threatened with the stolen data being leaked online on the threat actors Telegram channel unless the ransom is paid.  

Indicators of Compromise 

The hashes and URL below are associated with the FARGO ransomware: 

  1. MD5: d687eb9fea18e6836bd572b2d180b144, b4fde4fb829dd69940a0368f44fca285, c54daefe372efa4ee4b205502141d360, 4d54af1bbf7357964db5d5be67523a7c, 41bcad545aaf08d4617c7241fe36267c 

  1. Downloader:hxxp://49.235.255[.]219:8080/Pruloh_Matsifkq[.]png 

  1. SHA-1: 0e7f076d59ab24ab04200415cb35037c619d0bae 

  1. SHA-256: 863e4557e550dd89e5ca0e43c57a3fc1889145c76ec9787e97f76e959fc8e1e1 

  1. Vhash: 015056655d155510f8z73hz2075zabz 

  1. Imphash: c8318053dac1b12c686403fde752954c 

Remediation and Mitigation 

When dealing with ransomware and when it comes to protecting against them, users are advised to follow the steps below: 

  1. Have a data backup and recovery plan for all critical information as this is the best way to recover quickly and efficiently from a ransomware attack. Isolate, reimage the infected device, and perform the recovery procedure. 

  1. Keep operating systems and software up to date with the latest security updates and patches to avoid getting exploited by attackers. 

  1. Avoid clicking on malicious links and attachments in emails. 

  1. Avoid freeware and cracked software as these can be bundled with malware. 

  1. Have a reliable and dependable anti-malware software. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.  

PDF Download: Microsoft SQL servers targeted by ransomware attacks.pdf

References