A new ransomware group, dubbed “Fog,” has emerged recently, focusing on traditional ransomware attacks that involve encrypting data in virtual environments to extort quick payments from victims. The group was first identified by researchers from Arctic Wolf on May 2, and they have been actively monitoring the group’s activities since then.
According to a report released by Arctic Wolf, Fog has been carrying out typical ransomware attacks by infiltrating and encrypting data stored in virtualization environments from May 2 to May 23. After encrypting the data, the group leaves a ransom note demanding payment in exchange for the decryption key. However, unlike some other ransomware groups that engage in data exfiltration and double extortion tactics, Fog focuses solely on encrypting data for quick financial gain.
The modus operandi of Fog involves targeting organizations through stolen virtual private network (VPN) credentials, which have become a popular method for initial access into large enterprises. The group has exploited vulnerabilities in VPN gateway vendors to gain unauthorized access to corporate networks. In one case, Fog leveraged compromised administrator accounts to establish remote desktop protocol (RDP) connections with Windows servers running virtualization software.
Additionally, Fog employs various tactics, techniques, and procedures (TTPs) such as credential stuffing, using tools like Metasploit and PsExec, disabling Windows Defender, and communicating with victims through the Tor network. Despite their sophisticated techniques, Fog refrains from exfiltrating the encrypted data or engaging in complex extortion schemes like double or triple extortion.
As of now, Fog has exclusively targeted organizations in the United States, with a focus on the education sector. In fact, four out of five reported attacks have been against educational institutions, while the remaining attacks have targeted recreation industries. Kerri Shafer-Page, the vice president of DFIR at Arctic Wolf, attributes the group’s preference for educational institutions to their vulnerability due to limited cybersecurity resources and staff during summer vacations.
Shafer-Page emphasizes the importance of employee awareness and credential management to mitigate the risk of ransomware attacks. She warns that threat actors like Fog are constantly seeking ways to move laterally within networks and escalate their privileges to gain access to sensitive data. By elevating their privileges, attackers can potentially compromise critical systems and cause significant damage to organizations.
In conclusion, the emergence of the Fog ransomware group highlights the ongoing threat posed by ransomware attacks targeting virtual environments. Organizations, particularly those in the education sector, need to bolster their cybersecurity defenses and educate employees about the importance of safeguarding their credentials to prevent falling victim to such malicious actors. The swift and decisive actions taken by organizations and cybersecurity experts are crucial in combating the growing menace of ransomware attacks and securing sensitive data from unauthorized access.