Microsoft SQL servers targeted in ransomware attacks

ID theft
(Image credit: Future)

An ongoing campaign is looking to distribute the FARGO ransomware to as many Microsoft SQL servers as possible, experts have found. 

According to cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC), threat actors are picking up pace, looking for unprotected MS-SQL servers, or those protected by weak and easily cracked passwords.

The attackers are engaged in brute-force and dictionary attacks, the researchers further explain, meaning that once they set their sights on specific servers, they’ll try as many password combinations as possible, until one sticks.

Leaks on Telegram

Endpoints with weak passwords can be accessed that way, and once they access the servers, the attackers would encrypt the files and give them a .Fargo3 extension, and place a ransom note titled RECOVERY FILES.txt.

The ransomware skips a couple of Windows system directories while encrypting, including boot files, Tor Browser, Internet Explorer, user customization and settings, the debug log file, and the thumbnail database. In the ransom note, the attackers threaten to release the stolen files on their Telegram channel, unless their demands are met. 

Microsoft SQL servers host data used by various internet services and apps, making them pivotal to the day-to-day operations of many organizations. As such, they’re a major target for various cybercriminals looking to deploy malware and steal sensitive data. 

So far this year, TechRadar Pro has reported twice on crooks attacking MS-SQL servers, once in April, and once in May. In April, a threat actor was spotted dropping Cobalt Strike beacons on vulnerable servers, while in May, crooks were observed brute-force attacking the endpoints.

"The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem," the Microsoft Security Intelligence team revealed at the time.

This attack, BleepingComputer claims, is “more catastrophic”, as it aims for a quicker profit through blackmail.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.