In early August 2024, cybercriminals launched a ransomware attack on a mid-sized financial firm using compromised VPN credentials, deploying the “Fog” ransomware variant on both Windows and Linux endpoints. However, Adlumin’s cutting-edge technology successfully stopped the attack by employing decoy files as sensors to detect ransomware activity.
Fog is a variant of the STOP/DJVU ransomware family, first identified in 2021, known for exploiting VPN vulnerabilities to infiltrate networks, primarily targeting education and recreation sectors. Once inside, it employs advanced tactics like pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files, and delete backups, forcing victims to consider paying a ransom. Encrypted files are marked with extensions such as ‘.FOG’ or ‘.FLOCKED,’ accompanied by a ransom note directing victims to a Tor-based negotiation platform.
Network Discovery and Lateral Movement: Attackers initiated network discovery using pings and advanced port scanning tools, mapping drives with compromised service accounts. The infiltration was traced back to an IP address in Russia, with lateral movement facilitated through domain trust relationships and credential harvesting using the ‘esentutl.exe’ utility.
Execution and Ransomware Propagation: The attackers used ‘Rclone’ to exfiltrate data and deployed ‘locker.exe’ to encrypt files, placing ransom notes on all infected endpoints and deleting shadow copies to hinder recovery efforts.
Adlumin’s Ransomware Prevention: As the attack escalated, Adlumin’s Ransomware Prevention feature automatically isolated affected machines, preventing data theft and locking out the attackers. Launched in April 2024, this patented technology uses scripts embedded within the Adlumin Security Platform Agent to monitor and respond to malicious activities in real time. By deploying decoy files, the system detects ransomware attempts early, isolating compromised endpoints to prevent further damage.
Recovery and Recommendations: Following isolation, security engineers restored the systems, eliminating the threat. Adlumin recommends measures such as multi-factor authentication, regular software updates, network monitoring, and employing comprehensive security platforms like Adlumin’s to protect against ransomware attacks. Organizations are also advised to establish incident response plans, limit administrative privileges, and regularly back up critical data in secure environments.