{"id":10846,"date":"2022-10-03T12:07:13","date_gmt":"2022-10-03T12:07:13","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=10846"},"modified":"2022-10-03T12:08:05","modified_gmt":"2022-10-03T12:08:05","slug":"microsoft-sql-fargo-ransomware","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/microsoft-sql-fargo-ransomware\/","title":{"rendered":"Fargo Ransomware aims at vulnerable Microsoft SQL servers"},"content":{"rendered":"

Ransomware rarely chooses the sole type of targets for their attacks. They roam from attacks on small coffee shops to strikes on governmental organisations<\/a>, with the corresponding adaptations to their software. However, all classic handbooks about offensive operations state that it is important to find a vulnerability of a target and exploit it. Such a tactic became an option for Fargo ransomware<\/strong> – or, as it was known earlier, Mallox or TargetCompany<\/span>1<\/sup><\/a><\/span>. Crooks opted for Microsoft SQL as a basis for their attacks.<\/p>\n

How do hackers use MS-SQL?<\/h2>\n

Microsoft SQL is a database management system, developed by a technological giant from Redmond. It has a decent market share, which creates a big pool of potential victims for crooks. But what is more important, MS-SQL has a lot of vulnerabilities<\/a> that allow the crooks to use it as a gateway to the entire network. And as statistics show, they are pretty active with that approach – through the period of August 24 \u2013 September 23, there were over a hundred attack cases<\/strong>.<\/p>\n

\"Fargo<\/p>\n

According to the researchers, the infection chain of Fargo ransomware begins with the download of the .NET file by the MS-SQL process using cmd.exe<\/strong> and powershell.exe. The downloaded file loads additional malware then generates and executes a BAT file that disables certain processes and services.<\/p>\n

List of the processes disabled by Fargo ransomware:<\/h3>\n
fdhost.exe
\nfdlauncher.exe
\nMsDtsSrvr.exe
\nmsmdsrv.exe
\nmysql.exe<\/code>
\n<\/div><\/div>\n
ntdbsmgr.exe
\noracle.exe,
\nReportingServecesService.exe,
\nsqlserv.exe,
\nsqlservr.exe<\/code><\/div><\/div><\/div>\n

After that, the malware injects itself into AppLaunch.exe and tries to delete the registry key of the Raccine utility, which is used to kill any processes that try to delete shadow copies in Windows using vssadmin.exe. In addition, the malware disables recovery and terminates all processes associated with databases to make their contents available for encryption. It also creates and modifies the following registry entries:<\/p>\n


\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\shell\\open\\command\trundll32.exe
\nSet value (str)\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\shell\\open\\command\\ = \"%SystemRoot%\\\\system32\\\\NOTEPAD.EXE %1\"\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_Classes\\Local Settings\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\MuiCache\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\.tohnichi\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\shell\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\shell\\edit\\command\trundll32.exe
\nSet value (str)\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\.tohnichi\\ = \"tohnichi_auto_file\"\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\shell\\edit\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_Classes\\Local Settings\trundll32.exe
\nSet value (str)\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\\trundll32.exe
\nSet value (str)\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\shell\\edit\\command\\ = \"%SystemRoot%\\\\system32\\\\NOTEPAD.EXE %1\"\trundll32.exe
\nKey created\t\\REGISTRY\\USER\\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\\tohnichi_auto_file\\shell\\open\trundll32.exe
\n<\/code><\/p>\n

Still, malware is designed to ignore certain parts of a system \u2013 in order to keep it usable and provide the victims access to the ransom note. They generally aim at ciphering databases, MS Office\/OpenOffice documents, text files, pictures, videos and image files<\/strong>. After the successful encryption, files receive the .Fargo3 extension. Malware uses a mix of ChaCha20, Curve25519 and AES-128<\/a> encryption algorithms, which makes it impossible to decrypt with available decryption tools. The plain text file named RECOVERY FILES.txt shows up the following instructions:<\/p>\n

\"Fargo<\/p>\n

Ransom demands<\/h2>\n

Victims are threatened with the dumping of stolen files on the Telegram channel of ransomware operators<\/a> if they do not pay a ransom. Experts warn that databases are most often compromised by dictionary and brute-force attacks, i.e. accounts with weak passwords are at risk. In addition, attackers exploit known vulnerabilities that may not be patched. Therefore, an obvious advice for MS-SQL server administrators is to install all the latest security updates for MS-SQL<\/strong> and change passwords to stronger ones. It is also recommended to keep all other software updated since protecting from these crooks does not guarantee protection from many others.<\/p>\n

The ransom size may vary, depending on the amount of files ciphered and the time passed after the encryption. The often practise among different ransomware groups is rejecting any cooperation regarding decryption if the company was waiting too long. Moreover, some of them start publishing the leaked data<\/a> in the Surface Web – even sensitive details may become available to everyone. Contacting the officials can also make crooks angry and lead to sly actions, for example – publishing the details of how they get into the network.<\/p>\n","protected":false},"excerpt":{"rendered":"

Ransomware rarely chooses the sole type of targets for their attacks. They roam from attacks on small coffee shops to strikes on governmental organisations, with the corresponding adaptations to their software. However, all classic handbooks about offensive operations state that it is important to find a vulnerability of a target and exploit it. Such a […]<\/p>\n","protected":false},"author":7,"featured_media":10866,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17],"tags":[55,670],"class_list":{"0":"post-10846","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"tag-ransomware","9":"tag-threats"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/10\/fargo-featured.jpg","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/10846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=10846"}],"version-history":[{"count":15,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/10846\/revisions"}],"predecessor-version":[{"id":10869,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/10846\/revisions\/10869"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/10866"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=10846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=10846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=10846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}