Microsoft SQL servers are succumbing to FARGO ransomware, security researchers at AhnLab Security Emergency Response Center (ASEC) have warned.
Cybersecurity researchers from AhnLab Security say that the newly detected malware variant is an imposter of a past variant named GlobelImposter and starts circulating after Cobalt Strike Beacons are dropped onto the victim machines.
According to ASEC’s security experts, Fargo is one of the most dangerous and popular forms of ransomware among attackers of Microsoft SQL servers. The ransomware variant is also known as Mallox, as it tends to attach the .mallox extension during file encryption.
The ransomware encrypts the data located on the victim’s computer using a combination of ChaCha20, AES-128, and Curve25519 algorithms. It then displays a message that demands payment in Bitcoin to decrypt the data.
FARGO ransomware is injected into a Windows process called AppLaunch[.]exe, in which it tries deleting some registry keys and ends other database tasks. It also deactivates recovery with a command.
After this, the cybercriminals will rename the encrypted files using the .Fargo3 extension (e.g., OriginalFileName.FileExtension.Fargo3), while the ransom note generated by the malware will appear using the file name “RECOVERY FILES.txt.” In the message, the victims will see threats of getting their system’s file permanently deleted if they use third-party software to resolve it on their own.
Additionally, cybercriminals say they would publish the data in the public domain if the victims refuse to pay the ransom.