The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

On September 19, 2022, AhnLab published a blog post on a new ransomware variant, FARGO. As the latest variant of TargetCompany ransomware, FARGO mainly targets Microsoft's MS-SQL servers and English-speaking organizations [1]. The ransomware threat actors use "the double extortion method" and pressure their victims to pay the ransom by threatening to release stolen sensitive data to the public.

Picus Labs added ransomware attack simulations to Picus Threat Library for FARGO ransomware and its former variants. In this blog post, we explained techniques used by FARGO ransomware and how the ransomware group operates.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

FARGO Ransomware Group

TargetCompany ransomware group started its operations in June 2021 and was initially named Mallox because it appended the file extension of encrypted files with ".mallox" [2]. The ransomware targets organizations in Asia and does not encrypt files if the infected machines are from Russia, Kazakhstan, Ukraine, and Qatar [4]. Later in February 2022, Avast released a decryptor for Mallox ransomware to help victims recover their files [3].

In September 2022, TargetCompany group released a new variant of their ransomware called FARGO. This new variant encrypts the victim's files with a hybrid encryption approach using ChaCha20, AES-128, and Curve25519 algorithms. After successfully encrypting files, the ransomware appends file extension with ".FARGO3". To avoid encrypting already-encrypted files, FARGO ransomware does not attack certain files.

Table 1: Excluded File Extensions [1]

According to AhnLab, the threat actors start their attack by injecting the ransomware executable into AppLaunch.exe. Then, they delete registry keys and shadow copies to damage recovery services. Prior to encryption, the ransomware kills SQL-related processes and proceeds to encrypt the files in the system with the exclusion lists provided below:

Table 2: The files that FARGO does not encrypt [1]

After encrypting the victim's files, FARGO ransomware leaves a ransom note.

Figure 1: Ransom note by FARGO ransomware [1]

TTPs Used by FARGO Ransomware Group

FARGO ransomware group uses the following tactics, techniques, and procedures (TTPs) in the MITRE ATT&CK framework:

Tactic: Initial Access & Persistence

T1078 Valid Accounts

FARGO threat actors gain initial access to target networks using credentials acquired via brute force attacks.

Tactic: Execution

T1059 Command and Scripting Interpreter

After initial access, FARGO threat actors transfer additional malware to the compromised network. This malware generates and executes a BAT file to shut down certain processes and services.

vssadmin.exe delete shadows /all /quiet
bcdedit /set {current} bootstatuspolicy ignoreallfailures
bcdedit /set {current} recoveryenabled no

Example 1: Commands used to inhibit system recovery [3]

fdhost.exe	msmdsrv.exe	oracle.exe	sqlwrite.exe
fdlauncher.exe	mysql.exe	ReportingServicesService.exe
MsDtsSrvr.exe	ntdbsmgr.exe	sqlserv.exe

Table 3: List of processes and services shut down by FARGO ransomware

Tactic: Privilege Escalation

T1134 Access Token Manipulation

FARGO group uses secedit.exe to assign its process "SeDebugPrivilege" and "SeTakeOwnershipPrivilege". This method is often used to elevate privileges of assigned processes.

Tactic: Defense Evasion

T1055 Process Injection

FARGO ransomware is executed via process injection to an already running process called AppLaunch.exe.

T1112 Modify Registry

FARGO ransomware deletes the registry keys for Raccine, a popular ransomware protection tool.

T1562.001 Impair Defenses:Disable or Modify Tools

FARGO ransomware deletes the following registry keys to inhibit the use of vssadmin.exe, wmic.exe, wbadmin.exe, bcdedit.exe, powershell.exe, diskshadow.exe, net.exe, and taskkil.exe.