In early May 2024, a new ransomware operation named ‘Fog’ began targeting educational organizations in the U.S. by exploiting compromised VPN credentials. The operation has yet to set up an extortion portal and was initially not observed stealing data. The gang does steal data to use in double-extortion attacks, coercing victims into paying ransoms.
The attackers gain access to victim environments using compromised VPN credentials from at least two different VPN gateway vendors. The threat actors accessed victim environments by leveraging these credentials, with the last documented activity occurring on May 23, 2024.
Once inside the internal network, the attackers perform “pass-the-hash” attacks on administrator accounts to establish RDP connections to Windows servers running Hyper-V. They also use credential stuffing to hijack valuable accounts and deploy PsExec on multiple hosts.
On the compromised Windows servers, Fog operators disable Windows Defender to prevent alerts before the ransomware execution. The ransomware gathers system information through Windows API calls and allocates threads for a multi-threaded encryption routine. Before encryption, it terminates a list of processes and services specified in its configuration.
Fog ransomware encrypts VMDK files in Virtual Machine (VM) storage and deletes backups from object storage in Veeam and Windows volume shadow copies to hinder restoration efforts. The encrypted files are appended with the ‘.FOG’ or ‘.FLOCKED’ extension, which can be customized in the JSON-based configuration block.
A ransom note is dropped in affected directories, instructing victims on how to pay for a decryption key. The note, named readme.txt, includes a link to a Tor site for negotiation, where victims can discuss ransom demands and view a list of stolen files. Both the ‘.FOG’ and ‘.FLOCKED’ extensions use the same Tor negotiation site, with ongoing attacks utilizing either extension.
The gang demanded hundreds of thousands of dollars for a decryptor and the deletion of stolen data, with potentially higher demands for larger companies.
To prevent Fog ransomware attacks, organizations should ensure all VPN credentials are secure and regularly updated. Implementing multi-factor authentication for VPN access, monitoring network traffic for unusual activities, and deploying endpoint protection solutions are critical steps.
Additionally, conducting regular security awareness training for staff and students can help in recognizing and avoiding phishing attempts and other social engineering tactics used by cybercriminals.