New SQL Server Attack via FARGO Ransomware – Vulnerable Systems Require Attention

Threat actors are using more sophisticated methods to target Microsoft SQL Server. In recent months, Microsoft reported attacks that use Cobalt Strike beacons to drop coin-miners and execute other malicious commands. Moreover, threat actors have been observed hijacking vulnerable MS-SQL servers to steal bandwidth for proxy services. However, the latest wave is especially devastating since it’s centered around blackmailing database owners for profit.

What is FARGO Ransomware?

FARGO ransomware, previously known as Mallox ransomware, is a type of malware that targets vulnerable SQL Servers. According to ID Ransomware, a considerable number of these attacks have been reported recently, indicating that what has been previously known as Mallox ransomware is alive and well.

How it Works

AhnLab Security Emergency Response Center (ASEC) reported that a FARGO infection starts by downloading a .NET file to the MS-SQL process on the compromised machine by using cmd.exe and powershell.exe. From there, the payload brings forth additional malware (such as the locker) and generates and runs a BAT file that ends specific processes and services.

Next, the ransomware payload injects itself into AppLaunch.exe, a legitimate Windows process, and tries to delete the registry key for the open-source ransomware “vaccine” called Raccine. Once files are encrypted, the ransomware renames its target files with the extension “.Fargo3” and generates a ransomware note. In most cases, the attacker blackmails victims by threatening that they will leak their files on their Telegram channel unless they make a payment.

These types of attacks have become more common in recent years, as hackers have become more sophisticated with their methods. Threat actors have also been reported to offer Ransomware as a Service, which is a fast-growing dark business model that allows ransomware developers to lease or sell their “products” to other parties. 

How to Protect Your SQL Server from Ransomware Attacks 

Fortunately, there are steps to protect your SQL Server from similar attacks and prevent your data from falling into the wrong hands.

1- Secure your Management Ports with Just-in-Time access

Just-in-Time (JIT) access can lock down inbound traffic to your Azure Virtual Machines with Microsoft Defender. This feature can significantly reduce vulnerability to attacks while helping administrators maintain access should the need to connect to a VM arise. Full guide on enabling Just-in-Time access is available here.

2- Restrict Administrator Accounts

When possible, restrict administrator accounts so they can only be used from specific IP addresses or locations. This will prevent attackers from logging in with an administrator account even if they gain access to the server. 

Additional Recommendations

• Make a habit of using long and unique passwords, and periodically change them.
• Install all system updates as soon as they are released. Updates often contain important vulnerability patches.
• Continue to learn about vulnerabilities related to your system to remain a step ahead of attackers.