A new variant of ransomware known as ‘Fog’ has emerged, targeting businesses in the education and recreation sectors across the United States. The attackers behind this malicious software have been using compromised VPN credentials to infiltrate victim environments, with forensic data revealing that two different VPN gateway providers were exploited for remote access.
Moreover, pass-the-hash activity has been detected against administrator accounts, which were then utilized to create RDP connections to Windows servers running Veeam and Hyper-V. This unauthorized access allowed the threat actors to disable Windows Defender on the targeted servers and erase backups from Veeam object storage, as well as encrypt VMDK files in VM storage.
Arctic Wolf Labs, a cybersecurity research team, began monitoring the spread of the Fog ransomware variant on May 2, 2024. Their investigation revealed that all victim organizations were based in the US, with 80% operating in the education sector and 20% in recreation. The attackers employed credential stuffing techniques to facilitate lateral movement within the compromised networks.
According to Arctic Wolf Labs, the threat actors deployed PsExec to various hosts, using RDP and SMB protocols to access specific targets. The ransom notes left on compromised systems indicated a consistent modus operandi, with a unique chat code distinguishing each incident. Although researchers identified an .onion address for communication between the attackers and victims, no other dark web presence, such as a data leak site, was found.
The motivations behind these ransomware attacks appear to be financial, as the attackers prioritize quick profits over data exfiltration or high-profile leaks. Despite the standardized tactics employed, organizations in the education sector should remain vigilant and implement robust defense mechanisms, including secure off-site backup solutions, to mitigate the risk of future attacks.
The lack of a defined organizational structure for the threat actors underscores the challenges in attributing these attacks to specific groups. However, the focus on the education sector aligns with established victimology trends, indicating a pattern of financially motivated cybercrime targeting vulnerable organizations.
In light of these developments, cybersecurity experts emphasize the importance of a multi-layered defense strategy and resilient backup infrastructure to counter ransomware threats effectively. By proactively securing their networks and data, organizations can minimize the impact of such attacks and safeguard against potential data loss or financial extortion.
For comprehensive data breach protection and cybersecurity solutions, companies may consider leveraging platforms like Cynet’s All-in-One Cybersecurity Platform for MSPs. By embracing advanced security measures and proactive defense mechanisms, organizations can enhance their resilience against evolving cyber threats and safeguard their critical assets from unauthorized access and exploitation.