MS SQL servers are getting hacked to deliver ransomware to orgs
Cybercriminals wielding the FARGO (aka Mallox, aka TargetCompany) ransomware are targeting Microsoft SQL (MS SQL) servers, AhnLab’s ASEC analysis team has warned.
They haven’t pinpointed how the attackers are getting access to the targeted servers, but noted that typical attacks targeting database servers include brute force and dictionary attacks aimed at ferreting out the passwords of existing, poorly secured accounts.
“And there may be vulnerability attacks on systems that do not have a vulnerability patch applied,” they added.
Database servers are regular targets
Microsoft SQL Server is a popular database server and management system, whose main purpose is to store data and deliver it when requested by various types of applications. Other widely used database server solutions include MySQL, Redis, PostgreSQL, and MongoDB.
MS SQL servers are often targeted and compromised by attackers with various goals in mind: to make them part of a cryptomining botnet, to turn them into proxy servers that could be exploited for more or less malicious purposes, and so on.
This time around, the attacks can result in a more immediate, far-reaching and destructive effect on the organizations that run these servers.
How the attack unfolds
After the MS SQL server has been compromised, the attackers make it download a .NET file via Command Prompt (cmd.exe) and PowerShell (powershell.exe), which in turn downloads and loads additional malware.
“The loaded malware generates and executes a BAT file which shuts down certain processes and services, in the %temp% directory,” the researchers explained.
“The ransomware’s behavior begins by being injected into AppLaunch.exe, a normal Windows program. It attempts to delete a registry key on a certain path, and executes the recovery deactivation command, and closes certain processes.
The ransomware encrypts some files and avoids others, including files with an extension associated with its own activities (.FARGO, .FARGO2, etc.) and that of GlobeImposter, another ransomware threat targeting vulnerable MS SQL servers.
Finally, it shows the ransom note:
While files encrypted by some of the previous versions of the Mallox/TargetCompany ransomware can be decrypted, there is currently no free decryptor for FARGO-encrypted files.
To prevent falling victim to this and other threats coming via compromised MS SQL servers, admins are advised to regularly patch their installations and to use complex, unique passwords to protect their accounts.