Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

FOG (Ransomware) – Malware

July 22, 2024
Reading Time: 23 mins read
in Malware
FOG (Ransomware) – Malware

FOG

Type of Malware

Ransomware

Date of initial activity

May 2024

Motivation

Financial gain

Attack Vectors

VPN credentials, pass the hash, RDP, credential stuffing, Metasploit, PsExec, Tor

Tools

PsExec, Metasploit, SoftPerfect Network Scanner, Advanced Port Scanner, SharpShares, Veeam-Get-Creds.ps1

Targeted System

Virtual environments, Windows servers (Hyper-V), Veeam

Overview

Arctic Wolf Labs has identified a significant emergence of a new ransomware variant named Fog, which has been actively targeting organizations in the United States since May 2024. The primary sectors affected include education and recreation, indicating a deliberate focus on institutions with critical data and operational dependencies. The initial access vector observed in these attacks involves the exploitation of compromised VPN credentials, underscoring the vulnerability of remote access services in organizational security postures. Once inside the network, threat actors deploy sophisticated tactics such as credential stuffing and pass-the-hash techniques to escalate privileges and move laterally across the environment. Key tools utilized in these attacks include PsExec for remote execution and PowerShell scripts like Veeam-Get-Creds.ps1 to extract credentials from compromised systems, facilitating deeper penetration into victim networks. Notably, threat actors disable security defenses such as Windows Defender to operate undetected while encrypting data. The ransomware itself exhibits typical behaviors observed in similar variants, leveraging encryption techniques and appending specific file extensions (.FOG and .FLOCKED) to encrypted files. Each attack concludes with the deletion of volume shadow copies using system tools like vssadmin.exe, hindering recovery efforts.

Targets

Education, Recreation

How they operate

The Fog ransomware follows a detailed operational sequence designed to infiltrate, encrypt data, and demand ransom from its victims: Initial Access: Fog gains entry into victim networks primarily through compromised VPN credentials. This initial access vector allows threat actors to bypass perimeter defenses and gain a foothold inside the network. Credential Access: Once inside, Fog focuses on obtaining additional credentials through techniques like pass-the-hash and credential stuffing. These methods help escalate privileges and facilitate further movement across the network. Lateral Movement: With credentials in hand, Fog uses tools such as PsExec to move laterally within the network. PsExec enables remote execution of commands on other systems, allowing the ransomware to spread and infect more machines. Execution and Encryption: Fog disables Windows Defender and other security tools to avoid detection. It then proceeds to encrypt files using a multi-threaded encryption routine. This routine is designed to swiftly encrypt large volumes of data, including VM storage and other critical files. Impact: To maximize the impact and prevent recovery, Fog deletes volume shadow copies using commands like vssadmin.exe delete shadows /all /quiet. This action eliminates the possibility of restoring files from backup copies stored within the system. Ransom Note: After encryption is complete, Fog leaves behind ransom notes on infected systems. These notes typically demand payment in cryptocurrency in exchange for decryption keys. They include instructions on how victims can contact the attackers via anonymous communication channels like Tor. Persistence: To ensure continued access and control over infected systems, Fog may create backdoor accounts or utilize other persistence mechanisms. This allows the ransomware to maintain access for potential future attacks or ransom negotiations. Tools and Techniques: Fog utilizes a variety of tools during its operation, including network scanners like SoftPerfect Network Scanner and Advanced Port Scanner, as well as credential extraction scripts like Veeam-Get-Creds.ps1. These tools help in reconnaissance, lateral movement, and credential theft across the network.

MITRE tactics and techniques

Initial Access
  • External Remote Services (T1133)
  • Valid Accounts (Compromised VPN Credentials) (T1078)
Discovery
  • Network Service Discovery (SoftPerfect Network Scanner, Advanced Port Scanner) (T1046)
  • Network Share Discovery (SharpShares) (T1135)
Lateral Movement
  • Remote Services (T1021)
  • Remote Desktop Protocol (T1021.001)
  • SMB/Windows Admin Shares (T1021.002)
  • Lateral Tool Transfer (PsExec) (T1570)
Credential Access
  • OS Credential Dumping (T1003)
  • NTDS (T1003.003)
  • Credentials from Password Stores (T1555)
Credentials Manager
  • Brute Force (T1110)
  • Credential Stuffing (T1110.004)
Persistence
  • Create Account (T1136)
  • Local Account (Administrator) (T1136.001)
Execution
  • Command and Scripting Interpreter (T1059)
  • Windows Command Shell (T1059.003)
  • System Services (T1569)
  • Service Execution (PsExec) (T1569.002)
Defense Evasion
  • Impair Defenses (T1562)
  • Disable or Modify Tools (Windows Defender/AV) (T1562.001)
  • Use Alternate Authentication Material (T1550)
  • Pass the Hash (T1550.002)
  • Valid Accounts (T1078)
Impact
  • Data Encrypted for Impact (T1486)
  • Inhibit System Recovery (T1490)
  • Service Stop (T1489)
References:
  • Lost in the Fog: A New Ransomware Threat
  • ‘Fog’ Ransomware Rolls in to Target Education, Recreation Sectors
Tags: Arctic Wolf LabsDefenderEducationFOGLabsMalwarePowerShellPsExecRansomwareRecreationUnited StatesVPNVulnerabilityWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Google Patches Chrome Account Takeover Bug

Horabot Malware Targets LatAm Via Phishing

HTTPBot DDoS Threat To Windows Systems

Subscribe to our newsletter

    Latest Incidents

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    Dior Breach Exposes Asian Customer Data

    Australian Human Rights Body Files Leaked

    Nucor Cyberattack Halts Plants Networks

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial