Cybercriminals are targeting vulnerable Microsoft SQL Server instances with FARGO ransomware in a new wave of attacks [5]. This ransomware variant encrypts files and adds the “.FARGO” extension [5], restricting access to data on the affected machines [5]. Along with GlobeImposter [5], FARGO is one of the well-known ransomware variants targeting SQL Server [5].

Description

The Mallox ransomware group [1] [2] [4] [6] [7], also known as TargetCompany [4], Fargo [4], and Tohnichi [4], has recently resurfaced and increased its targeted attacks on organizations with vulnerable SQL servers [1]. They have developed a new variant of ransomware that appends the “.malox” file extension to encrypt files. The group exploits remote code execution vulnerabilities in SQL servers to gain access to targeted networks [4]. They have introduced the Remcos RAT and the BatCloak obfuscator as familiar malware tools to evade detection. The attackers communicate through an Onion link provided in a ransom note [3]. The group is utilizing various methods to achieve persistence and hide their malicious activity [4], including changing URLs and using the Metasploit hacking tool [4]. Mallox claims to have successfully infected numerous organizations across various industries worldwide [2]. Their method of entry remains consistent [2], targeting unsecured Microsoft SQL Servers and gaining initial access through brute force techniques on publicly exposed instances [3]. Suspicious command line activities associated with ‘sqlservr.exe’ have been observed [3]. To protect against Mallox ransomware [2], organizations must strengthen their defenses and ensure their SQL servers are not susceptible to exploitation [2]. In later stages of the attack [1] [6], the group changes tactics to maintain a stealthy presence and hide its malicious activity [1] [6]. It is recommended to follow best security practices [3], such as patching vulnerabilities and implementing AI- and machine learning-based file checking and behavior monitoring solutions [4] [6], to protect against these threats [3] [4]. Shared files on the network are also at risk during ransomware attacks [3], so precautionary measures can help minimize damage to shared data within the network [3]. By securing Microsoft SQL Server instances and following these precautions [3], the risk of Mallox ransomware attacks can be significantly reduced [3].

Conclusion

Mallox ransomware has experienced a significant increase in activity [7], with a focus on stealing data and threatening to publish it as leverage [7]. The group targets poorly secured MS-SQL servers through dictionary attacks to gain access to victims’ networks [7]. Additionally, the Mallox ransomware group has been recruiting affiliates for their ransomware-as-a-service program [7], suggesting a potential increase in attacks [7]. Security teams should prioritize patching gaps [6], checking all attack surfaces [6], and implementing AI- and machine learning-based solutions for file checking and behavior monitoring [4] [6]. Best practices for network blocking [6], ransomware detection [5] [6], and user awareness are also recommended [6]. Mallox poses a significant threat to organizations with vulnerable SQL servers [6], and proactive measures are necessary to defend against this persistent ransomware group [6].

References

[1] https://www.darkreading.com/ics-ot/mallox-ransomware-group-steams-ahead-with-new-variant-evasion-tactics
[2] https://thenimblenerd.com/article/malloxs-madcap-mayhem-unmasking-the-new-sql-server-exploits/
[3] https://www.seqrite.com/blog/threat-advisory-mallox-ransomware-strikes-unsecured-mssql-servers
[4] https://vulnera.com/newswire/mallox-ransomware-group-enhances-malware-variants-and-evasion-techniques/
[5] https://www.channelpartnerinsight.com/news/4056952/microsoft-sql-servers-targeted-fargo-ransomware-attacks
[6] https://cybersecurity-see.com/mallox-ransomware-group-enhances-malware-variants-and-evasion-tactics/
[7] https://techkranti.com/04-aug-23-in-security-news-today/