Sophos X-Ops recently revealed the emergence of a new ransomware threat cluster that exploited a vulnerability in Veeam backup servers. This threat cluster, referred to as STAC 5881, utilized compromised VPN appliances for access and leveraged the CVE-2024-40711 vulnerability to create a new local administrator account named “point.”
The deployment of this new ransomware was observed in cases where the threat actor behind STAC 5881 targeted organizations. The ransomware, named Frag, was executed through a command line with various parameters, including the percentage of file encryption. Attackers could specify directories or individual files to encrypt, with the files being given a .frag extension once encrypted.
Despite the deployment of Frag ransomware, Sophos endpoint protection’s CryptoGuard feature successfully blocked the ransomware, and a detection for the ransomware binary has been added to enhance protection against it.
The tactics employed by the threat actor behind Frag were similar to those used by the Akira and Fog ransomware threat actors. Agger Labs also noted the resemblance in behaviors between Frag and Akira ransomware, indicating a possible emergence of a new ransomware player in the threat landscape. Sophos X-Ops continues to monitor this threat behavior closely and will provide updates with additional technical details as they become available.
Overall, the deployment of Frag ransomware highlights the evolving nature of cyber threats and the importance of proactive cybersecurity measures to mitigate the risks posed by ransomware attacks. Organizations are encouraged to stay vigilant, update their security solutions, and implement best practices to safeguard against the increasing sophistication of threat actors in the digital realm.