Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fog Ransomware. Show all posts
Ransomware attack prevention
Adlumin ransomware protection Cyber Security cybersecurity solutions Fog Ransomware Ransomware attack prevention

Adlumin Thwarts Fog Ransomware Attack Using Innovative Decoy Technology

 

In early August 2024, cybercriminals launched a ransomware attack on a mid-sized financial firm using compromised VPN credentials, deploying the “Fog” ransomware variant on both Windows and Linux endpoints. However, Adlumin’s cutting-edge technology successfully stopped the attack by employing decoy files as sensors to detect ransomware activity.

Fog is a variant of the STOP/DJVU ransomware family, first identified in 2021, known for exploiting VPN vulnerabilities to infiltrate networks, primarily targeting education and recreation sectors. Once inside, it employs advanced tactics like pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files, and delete backups, forcing victims to consider paying a ransom. Encrypted files are marked with extensions such as ‘.FOG’ or ‘.FLOCKED,’ accompanied by a ransom note directing victims to a Tor-based negotiation platform.

Network Discovery and Lateral Movement: Attackers initiated network discovery using pings and advanced port scanning tools, mapping drives with compromised service accounts. The infiltration was traced back to an IP address in Russia, with lateral movement facilitated through domain trust relationships and credential harvesting using the ‘esentutl.exe’ utility.

Execution and Ransomware Propagation: The attackers used ‘Rclone’ to exfiltrate data and deployed ‘locker.exe’ to encrypt files, placing ransom notes on all infected endpoints and deleting shadow copies to hinder recovery efforts.

Adlumin’s Ransomware Prevention: As the attack escalated, Adlumin’s Ransomware Prevention feature automatically isolated affected machines, preventing data theft and locking out the attackers. Launched in April 2024, this patented technology uses scripts embedded within the Adlumin Security Platform Agent to monitor and respond to malicious activities in real time. By deploying decoy files, the system detects ransomware attempts early, isolating compromised endpoints to prevent further damage.

Recovery and Recommendations: Following isolation, security engineers restored the systems, eliminating the threat. Adlumin recommends measures such as multi-factor authentication, regular software updates, network monitoring, and employing comprehensive security platforms like Adlumin’s to protect against ransomware attacks. Organizations are also advised to establish incident response plans, limit administrative privileges, and regularly back up critical data in secure environments.
Read more »
ransomware attacks
Cyber Attacks Data Security Breach Financial Firm Fog Ransomware Linux MFA ransomware attacks

Protecting Against Fog Ransomware: Key Strategies and Insights

 

In August 2024, a mid-sized financial firm was targeted by a ransomware attack using compromised VPN credentials to deploy a variant called “Fog” on both Windows and Linux systems. Fortunately, the attack was detected and neutralized by Adlumin’s innovative technology, which uses decoy files as sensors to detect ransomware activity. Fog, a variant of the STOP/DJVU ransomware family first observed in 2021, exploits compromised VPN credentials to breach networks and often targets sectors like education and recreation. 

Once inside, the ransomware uses techniques such as pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files like Virtual Machine Disks (VMDKs), and delete backup data. Victims are usually directed to a negotiation platform on the Tor network through a ransom note. The lack of direct ties to known threat groups suggests that Fog may originate from a new, highly skilled actor. The attackers initiated their operation by pinging endpoints and using tools like “Advanced Port Scanner” for network reconnaissance. 

They then moved laterally through the network using compromised service accounts, mapped network drives, and harvested credentials. For execution, they used the open-source tool ‘Rclone’ to transfer data and deployed ‘locker.exe’ to encrypt files. Additionally, they deleted system backups to prevent victims from restoring their data. Adlumin’s Ransomware Prevention feature played a critical role in neutralizing the attack. This technology, launched in April 2024, uses decoy files that lie dormant until ransomware activity is detected, triggering the automatic isolation of affected machines and blocking further data theft. 

The feature alerts security teams for a deeper investigation, representing a significant advancement in the fight against ransomware. After isolating compromised systems, security engineers conducted a thorough analysis to identify vulnerabilities and restore the affected systems. In the aftermath of the attack, several key measures were recommended to prevent future incidents: ensuring all VPN connections require Multi-Factor Authentication (MFA), keeping VPN software up to date, monitoring VPN access for unusual activity, and deploying automated isolation procedures when ransomware is detected. 

It is also important to protect endpoints with comprehensive security platforms capable of real-time threat monitoring and response, limit administrative privileges, conduct regular security audits, and establish effective incident response plans. Additionally, organizations should regularly back up critical data in secure environments and monitor network traffic for signs of unusual or malicious activity. These proactive steps help organizations prepare for and mitigate the impact of sophisticated ransomware threats like Fog.
Read more »
Ransomware
Arctic Wolf cyber attack Cyber Attacks Data Theft Fog Ransomware Ransomware

New Ransomware Variant "Fog" Targets U.S. Education and Recreation Sectors

Arctic Wolf Labs has identified a new, sophisticated ransomware variant named "Fog," which has been aggressively targeting organizations in the United States, particularly within the education and recreation sectors. This variant came to light following several incident response cases in May and was publicly disclosed in June, raising considerable concerns due to the intricate nature of the attacks. 

Fog ransomware typically infiltrates victim networks using compromised VPN credentials, exploiting vulnerabilities in remote access systems from two different VPN gateway vendors. The attackers gain unauthorized access by leveraging stolen VPN credentials. 

Once inside the network, the attackers employ various techniques, including: Pass-the-hash activity, Credential stuffing, and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold. Working of Fog Ransomware Fog ransomware operates using a JSON-based configuration block that orchestrates activities both pre- and post-encryption. They deploy PsExec, disable Windows Defender, and systematically query system files, volumes, and network resources before commencing the encryption. 

Additionally, Fog ransomware targets VMDK files in Virtual Machine storage, deletes backups from Veeam object storage, and Windows volume shadow copies. It employs an embedded public key for encryption and appends unique extensions (.FOG and .FLOCKED) to the encrypted files. Unlike many other ransomware types, Fog does not engage in data exfiltration; instead, it focuses on quickly encrypting VM storage data, demanding ransoms for decryption. 

The encryptor binary of the Fog ransomware employs several well-known techniques. First, it creates a log file named DbgLog.sys in the %AppData% directory. Next, it utilizes the NT API to gather system information via the NtQuerySystemInformation function, such as the number of logical processors, to enhance its encryption efficiency. The encryption itself uses outdated Windows APIs like CryptImportKey and CryptEncrypt. After the encryption process is completed, the attackers leave a ransom note, typically called 'readme.txt,' providing instructions for contacting them to obtain decryption keys. 

An analysis of these ransom notes shows that the Fog ransomware group demands ransom payments that can reach hundreds of thousands of dollars, offering decryption keys and assurances of data deletion in return.Organizations, particularly in the education and recreation sectors, should prioritize enhancing their cybersecurity defenses by implementing robust security measures, ensuring the protection and proper management of VPN credentials, and maintaining up-to-date and secure backups to mitigate the potential impact of ransomware attacks.
Read more »
Subscribe to: Posts (Atom)