HQ/EMEAFind out how we can help your business
The newly discovered Fog ransomware, which debuted last month, uses compromised VPN credentials to access the networks of educational organisations in the United States. Based on reports, the ransomware operation has yet to establish an extortion portal or take data.
On the other hand, a separate research group claimed they could confirm that the ransomware group steals data for double-extortion operations and then uses the data as leverage to extort victims into paying.
The Fog ransomware operation uses VPNs as its primary infection vector.
The Fog ransomware operators access targeted environments using compromised VPN credentials acquired from at least two separate VPN gateway manufacturers. Researchers noted that in each of the cases investigated, evidence showed that the threat actors could access victim environments by capitalising on compromised VPN credentials.
In addition, the remote access occurred through two separate VPN gateway vendors, and the last documented threat activity occurred on May 23, 2024.
Once they obtain access to the internal network, the attackers execute “pass-the-hash” tactics on admin accounts, which they use to establish RDP connections to Windows servers running Hyper-V.
Alternatively, the attackers use credential stuffing to steal valuable accounts, followed by PsExec deployment across numerous hosts.
On Windows servers, the ransomware operators deactivate Windows Defender to prevent the victim from receiving notifications before the encrypter’s execution. Subsequently, once the method installs the ransomware, it uses Windows API calls to retrieve system information, such as the number of available logical processors for allocating threads to a multi-threaded encryption algorithm.
However, the ransomware first terminates a set of processes and services from a hardcoded list in its setup before starting the encryption process. The ransomware encrypts VMDK files in VM storage and deletes backups from Veeam object storage and Windows volume shadow copies to avoid easy restoration.
Next, the ransomware operation appends the encrypted with the ‘.FOG’ or ‘.FLOCKED’ extension, which they can change in the JSON-based configuration block to whatever they desire. Finally, a ransom note is written and put on the compromised directories, instructing the victims to pay for a decryption key that will allow them to retrieve their files.
US-based academic institutions should be wary of this new threat, which has been primarily targeting the industry.
