TargetCompany Ransomware Attacks Target Microsoft SQL Servers

According to AhnLab Security Emergency Response Center (ASEC) researchers, the FARGO ransomware is a highly active strain that focuses on MS-SQL servers, alongside GlobeImposter. Previously known as “Mallox” for its use of the “.mallox” file extension, the FARGO family of malware has also been referred to as “TargetCompany” by Avast researchers.

Although statistical data from the ID Ransomware platform indicates that the FARGO ransomware is highly active, there are some cases where encrypted files can be recovered for free.

The researchers note that the FARGO ransomware infection typically starts with the MS-SQL process on the affected machine downloading a .NET file using cmd.exe and powershell.exe. The payload then downloads additional malware and generates and runs a BAT file that terminates specific processes and services.

After that, the ransomware payload injects itself into the AppLaunch.exe process, and attempts to delete the registry key for the open-source ransomware “vaccine” called Raccine. Additionally, the malware executes the recovery deactivation command and terminates database-related processes to make their contents available for encryption.

To prevent the attacked system from becoming entirely unusable, the FARGO ransomware excludes several Microsoft Windows system directories, boot files, Tor Browser, Internet Explorer, user customizations and settings, debug log files, and the thumbnail database from encryption.

Once encryption is complete, the locked files are renamed with the “.Fargo3” extension, and the malware generates the ransom note (“RECOVERY FILES.txt”). The attackers threaten victims with leaking their stolen files on their Telegram channel if they don’t pay the ransom.

To prevent compromise, MS-SQL server administrators are advised to use strong, unique passwords and keep their machines up-to-date with the latest security patches. Brute-force and dictionary attacks that exploit weak credentials, as well as known vulnerabilities that have not been patched, are common methods for cybercriminals to exploit database servers.