New Ransomware Variant "Fog" Targets U.S. Education and Recreation Sectors

Arctic Wolf Labs has identified a new, sophisticated ransomware variant named "Fog," which has been aggressively targeting organizations in the United States, particularly within the education and recreation sectors. This variant came to light following several incident response cases in May and was publicly disclosed in June, raising considerable concerns due to the intricate nature of the attacks. 

Fog ransomware typically infiltrates victim networks using compromised VPN credentials, exploiting vulnerabilities in remote access systems from two different VPN gateway vendors. The attackers gain unauthorized access by leveraging stolen VPN credentials. 

Once inside the network, the attackers employ various techniques, including: Pass-the-hash activity, Credential stuffing, and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold. Working of Fog Ransomware Fog ransomware operates using a JSON-based configuration block that orchestrates activities both pre- and post-encryption. They deploy PsExec, disable Windows Defender, and systematically query system files, volumes, and network resources before commencing the encryption. 

Additionally, Fog ransomware targets VMDK files in Virtual Machine storage, deletes backups from Veeam object storage, and Windows volume shadow copies. It employs an embedded public key for encryption and appends unique extensions (.FOG and .FLOCKED) to the encrypted files. Unlike many other ransomware types, Fog does not engage in data exfiltration; instead, it focuses on quickly encrypting VM storage data, demanding ransoms for decryption. 

The encryptor binary of the Fog ransomware employs several well-known techniques. First, it creates a log file named DbgLog.sys in the %AppData% directory. Next, it utilizes the NT API to gather system information via the NtQuerySystemInformation function, such as the number of logical processors, to enhance its encryption efficiency. The encryption itself uses outdated Windows APIs like CryptImportKey and CryptEncrypt. After the encryption process is completed, the attackers leave a ransom note, typically called 'readme.txt,' providing instructions for contacting them to obtain decryption keys. 

An analysis of these ransom notes shows that the Fog ransomware group demands ransom payments that can reach hundreds of thousands of dollars, offering decryption keys and assurances of data deletion in return.Organizations, particularly in the education and recreation sectors, should prioritize enhancing their cybersecurity defenses by implementing robust security measures, ensuring the protection and proper management of VPN credentials, and maintaining up-to-date and secure backups to mitigate the potential impact of ransomware attacks.