Threat actors are using FARGO ransomware targeting Microsoft SQL servers.
Initial threat vector not known, but the attacks targeting database servers include brute force and dictionary attacks aimed at ferreting out the passwords of existing, poorly secured accounts.
After the MS SQL server has been compromised, the attackers make it download a .NET file via Command Prompt and PowerShell which in turn downloads and loads additional malware.
The loaded malware generates and executes a BAT file which shuts down certain processes and services, in the %temp% directory.
The ransomware’s behavior begins by being injected into AppLaunch.exe. It attempts to delete a registry key on a certain path, and executes the recovery deactivation command, and closes certain processes.
The ransomware encrypts some files and avoids others, including files with an extension associated with its own activities (.FARGO, .FARGO2, etc.) and that of GlobeImposter, another ransomware threat targeting vulnerable MS SQL servers.
To prevent falling victim to this and other threats coming via compromised MS SQL servers, admins are advised to regularly patch their installations and to use complex, unique passwords to protect their accounts