The ongoing campaign aims to distribute FARGO ransomware (opens in a new tab) to as many Microsoft SQL servers as possible, experts have found.
According to cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC), cybercriminals are gaining momentum by looking for unprotected MS-SQL servers or protected by weak and easy-to-break passwords.
Attackers are involved in brute-force and dictionary attacks, the researchers explain, which means that once they’ve dealt with specific servers, they’ll try as many password combinations as possible until one sticks.
Telegram leaks
This way, endpoints with weak passwords can be accessed, and after accessing the servers, the attackers will encrypt the files and give them the .Fargo3 extension and place a ransom note titled RECOVERY FILES.txt.
During encryption, the ransomware bypasses several Windows directories, including boot files, Tor Browser, Internet Explorer, user customization and settings, debug log file, and thumbnail database. In the ransom note, the attackers threaten to release stolen files on their Telegram channel, unless their demands are met.
Microsoft SQL servers store data used by various web services and applications, making them crucial in the daily operations of many organizations. Consequently, they are the prime target of various cyber criminals looking to implement malware (opens in a new tab) and steal confidential data.
So far this year, TechRadar Pro it reported twice about fraudsters targeting MS-SQL servers, once in April and once in May. In April, it was noticed that a cybercriminal dropped Cobalt Strike beacons on vulnerable servers, while in May, scammers attacking endpoints by force were observed.
“Attackers achieve fileless persistence by creating sqlps.exe, a PowerShell wrapper to run cmdlets built into SQL, to run recognition commands, and change the SQL service run mode to LocalSystem,” the Microsoft Security Intelligence team revealed at the time. .
This attack A hissing computer it claims to be “more catastrophic” as it aims to profit faster through blackmail.
By: A hissing computer (opens in a new tab)