Latest Headline

FARGO ransomware, also known as Mallox and TargetCompany, has become a significant threat in the cybersecurity landscape, reemerging in July 2024. Recent attacks have predominantly targeted Microsoft SQL servers, causing extensive disruptions across various industries.

Key Points

• First emerged in June 2021

• Originally focused on Windows systems, recently expanded its reach to Linux systems and VMware ESXi environments, targets MS-SQL servers

• 687 total IOCs as of publication

Fletch is constantly monitoring the threat landscape. The data in this guide is most up to date as of publication. Check out FARGO’s Threat Board for any updates or join Fletch to be in the know for every threat.

FARGO Group Summary

FARGO is attributed to a group that operates under several aliases, including Mallox, TargetCompany, and Tohnichi. Research by security firms such as AhnLab and Palo Alto Networks indicates that the infrastructure supporting these attacks is frequently traced back to China, although the precise origins of the group remain uncertain. Operating as a Ransomware-as-a-Service (RaaS), FARGO uses affiliates to spread its reach, employing double extortion tactics by threatening to leak stolen data unless ransoms are paid.

• Severity: High

• Maturity: Mainstream

• IOCs: 685 Malware hashes and 2 vulnerabilities

• Targets: 7 tech targets, 2 industry targets, and 16 geo targets

Learn more about Fletch’s metrics in the Fletch Help Center.

FARGO Victims & Motivations

FARGO affects a wide range of industries, including manufacturing, legal services, wholesale, retail, and professional services. The ransomware targets MS-SQL servers and VMware ESXi environments, exploiting these systems' vulnerabilities to maximize disruption. Its global reach includes significant activities in Asia and recent attacks in the United States. The primary motivation behind these attacks is financial gain through ransomware payments and data theft for further leverage.

FARGO Tactics

FARGO ransomware uses a variety of sophisticated techniques to ensure its payload is executed and data is encrypted. The ransomware deletes volume shadows, clears logs, and disables recovery options to hinder restoration efforts. By injecting its payload into legitimate processes like AppLaunch.exe, FARGO makes detection and removal more challenging. The ransomware uses AES-256 CBC, ChaCha20, and RSA encryption algorithms, and custom shell scripts to encrypt data.

Mitigation Advice

At the time of publication, this was the mitigation advice against FARGO:

• If systems are infected with ransomware, disconnect infected devices from the network and any external storage devices that may be connected.

• Enable automatic software updates on computers, mobile devices, and connected devices.

At the time of publication, these were the right compliance controls to focus on for FARGO:

• Limit the use of PowerShell to only administrators and restrict what commands can be executed.

• Limit access to sensitive transactions and use secure methods for payment approvals.

• Install and regularly update antivirus software on all company devices.

• Provide training to employees on how to recognize and avoid social engineering techniques.

• Train employees to recognize and report suspicious emails and attachments.

You can check out the most recent mitigation measures by creating an account when you join Fletch.

Communication

On top of mitigation advice, Fletch also provides Beta AI-generated communications so you can educate your different company stakeholders. At the time of publication, this was what was recommended for the following:

For employees with exposure:

For customers:

For more templates for your different stakeholders, create a workspace when you join Fletch.

Takeaway

FARGO ransomware represents a persistent and evolving threat capable of causing significant damage to vulnerable systems. Its expansion to Linux and VMware environments highlights the need for comprehensive cybersecurity measures. Organizations should implement strong passwords, regular software updates and patches, multi-factor authentication, and regular data backups to mitigate the risks posed by this ransomware.

FARGO is just one example of an ever-evolving threat that Fletch helps you keep track of and prioritize. 

Our AI engine is constantly scanning and indexing the threat landscape for you so you can plug the gaps in your security. You can use Fletch to prioritize your alerts, forecast threats on your horizon, and give you daily advice on what to do.

Join the Fletch waitlist and try it for yourself.

1. Secure Reading [Eldorado Ransomware Attacks: Windows and VMware ESXi VMs at Risk] (https://securereading.com/eldorado-ransomware-attacks-windows-and-vmware-esxi-vms-at-risk/)

2. SC Magazine [Attacks with new Mallox ransomware version aimed at Linux] (https://www.scmagazine.com/brief/attacks-with-new-mallox-ransomware-version-aimed-at-linux)

3. Security Online [Mallox Ransomware Goes Cross-Platform: New Linux Variant Discovered, Decryptor Released] (https://securityonline.info/mallox-ransomware-goes-cross-platform-new-linux-variant-discovered-decryptor-released/)