The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On September 19, 2022, AhnLab published a blog post on a new ransomware variant, FARGO. As the latest variant of TargetCompany ransomware, FARGO mainly targets Microsoft's MS-SQL servers and English-speaking organizations [1]. The ransomware threat actors use "the double extortion method" and pressure their victims to pay the ransom by threatening to release stolen sensitive data to the public.
Picus Labs added ransomware attack simulations to Picus Threat Library for FARGO ransomware and its former variants. In this blog post, we explained techniques used by FARGO ransomware and how the ransomware group operates.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
FARGO Ransomware Group
TargetCompany ransomware group started its operations in June 2021 and was initially named Mallox because it appended the file extension of encrypted files with ".mallox" [2]. The ransomware targets organizations in Asia and does not encrypt files if the infected machines are from Russia, Kazakhstan, Ukraine, and Qatar [4]. Later in February 2022, Avast released a decryptor for Mallox ransomware to help victims recover their files [3].
In September 2022, TargetCompany group released a new variant of their ransomware called FARGO. This new variant encrypts the victim's files with a hybrid encryption approach using ChaCha20, AES-128, and Curve25519 algorithms. After successfully encrypting files, the ransomware appends file extension with ".FARGO3". To avoid encrypting already-encrypted files, FARGO ransomware does not attack certain files.
Table 1: Excluded File Extensions [1]
According to AhnLab, the threat actors start their attack by injecting the ransomware executable into AppLaunch.exe. Then, they delete registry keys and shadow copies to damage recovery services. Prior to encryption, the ransomware kills SQL-related processes and proceeds to encrypt the files in the system with the exclusion lists provided below:
Table 2: The files that FARGO does not encrypt [1]
After encrypting the victim's files, FARGO ransomware leaves a ransom note.
Figure 1: Ransom note by FARGO ransomware [1]
TTPs Used by FARGO Ransomware Group
FARGO ransomware group uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:
Tactic: Initial Access & Persistence
-
T1078 Valid Accounts
FARGO threat actors gain initial access to target networks using credentials acquired via brute force attacks.
Tactic: Execution
-
T1059 Command and Scripting Interpreter
After initial access, FARGO threat actors transfer additional malware to the compromised network. This malware generates and executes a BAT file to shut down certain processes and services.
vssadmin.exe delete shadows /all /quiet |
Example 1: Commands used to inhibit system recovery [3]
fdhost.exe |
msmdsrv.exe |
oracle.exe |
sqlwrite.exe |
fdlauncher.exe |
mysql.exe |
ReportingServicesService.exe |
|
MsDtsSrvr.exe |
ntdbsmgr.exe |
sqlserv.exe |
Table 3: List of processes and services shut down by FARGO ransomware
Tactic: Privilege Escalation
-
T1134 Access Token Manipulation
FARGO group uses secedit.exe to assign its process "SeDebugPrivilege" and "SeTakeOwnershipPrivilege". This method is often used to elevate privileges of assigned processes.
Tactic: Defense Evasion
-
T1055 Process Injection
FARGO ransomware is executed via process injection to an already running process called AppLaunch.exe.
-
T1112 Modify Registry
FARGO ransomware deletes the registry keys for Raccine, a popular ransomware protection tool.
-
T1562.001 Impair Defenses:Disable or Modify Tools
FARGO ransomware deletes the following registry keys to inhibit the use of vssadmin.exe, wmic.exe, wbadmin.exe, bcdedit.exe, powershell.exe, diskshadow.exe, net.exe, and taskkil.exe.
HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\vssadmin.exe" HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\wmic.exe" HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\wbadmin.exe" HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\bcdedit.exe" HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\powershell.exe" HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\diskshadow.exe" HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\net.exe" HKEY_LOCAL MACHINE "SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ Image File Execution Options\taskkill.exe" |
Example 2: Deleted registry keys to inhibit the use of certain processes [1]
Tactic: Credential Access
-
T1110 Brute Force
FARGO threat group targets database servers with brute force and dictionary attacks to obtain poorly managed account credentials.
Tactic: Impact
-
T1486 Data Encrypted for Impact
FARGO ransomware uses a hybrid encryption approach and encrypts files via ChaCha20, AES-128, and Curve25519 algorithms. After encryption, encrypted files are appended with extensions such as .Fargo, .Fargo2, Fargo3.
-
T1490 Inhibit System Recovery
FARGO ransomware deletes shadow copies and other recovery features to prevent its victims from recovering their stolen and encrypted files.
How Picus Helps Simulate FARGO Ransomware Attacks?
We also strongly suggest simulating FARGO ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against FARGO ransomware and hundreds of other ransomware such as LockBit, BlackByte, and BlackMatter within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for FARGO ransomware:
Threat ID |
Action Name |
Attack Module |
32505 |
FARGO Ransomware Download Threat |
Network Infiltration |
31567 |
FARGO Ransomware Email Threat |
Email Infiltration (Phishing) |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus' The Complete Security Control Validation Platform.
References
[1] "취약한 MS-SQL 서버를 대상으로 유포 중인 FARGO 랜섬웨어 (Mallox)," ASEC BLOG, Sep. 19, 2022. [Online]. Available: https://asec.ahnlab.com/ko/38849/. [Accessed: Oct. 06, 2022]
[2] X. T. I. SOCRadar, "FARGO Ransomware Targets Vulnerable Microsoft SQL Servers," SOCRadar® Cyber Intelligence Inc., Sep. 26, 2022. [Online]. Available: https://socradar.io/fargo-ransomware-targets-vulnerable-microsoft-sql-servers/. [Accessed: Oct. 06, 2022]
[3] "Decrypted: TargetCompany Ransomware," Avast Threat Labs, Feb. 07, 2022. [Online]. Available: https://decoded.avast.io/threatresearch/decrypted-targetcompany-ransomware/. [Accessed: Oct. 06, 2022]
[4] "The New Threat: Mallox Ransomware," SANGFOR. [Online]. Available: https://www.sangfor.com/blog/cybersecurity/new-threat-mallox-ransomware. [Accessed: Oct. 06, 2022]