FOG (Ransomware) – Malware

Overview

Arctic Wolf Labs has identified a significant emergence of a new ransomware variant named Fog, which has been actively targeting organizations in the United States since May 2024. The primary sectors affected include education and recreation, indicating a deliberate focus on institutions with critical data and operational dependencies.

The initial access vector observed in these attacks involves the exploitation of compromised VPN credentials, underscoring the vulnerability of remote access services in organizational security postures. Once inside the network, threat actors deploy sophisticated tactics such as credential stuffing and pass-the-hash techniques to escalate privileges and move laterally across the environment.

Key tools utilized in these attacks include PsExec for remote execution and PowerShell scripts like Veeam-Get-Creds.ps1 to extract credentials from compromised systems, facilitating deeper penetration into victim networks. Notably, threat actors disable security defenses such as Windows Defender to operate undetected while encrypting data.

The ransomware itself exhibits typical behaviors observed in similar variants, leveraging encryption techniques and appending specific file extensions (.FOG and .FLOCKED) to encrypted files. Each attack concludes with the deletion of volume shadow copies using system tools like vssadmin.exe, hindering recovery efforts.

Targets

Education, Recreation

How they operate

The Fog ransomware follows a detailed operational sequence designed to infiltrate, encrypt data, and demand ransom from its victims:

Initial Access: Fog gains entry into victim networks primarily through compromised VPN credentials. This initial access vector allows threat actors to bypass perimeter defenses and gain a foothold inside the network.

Credential Access: Once inside, Fog focuses on obtaining additional credentials through techniques like pass-the-hash and credential stuffing. These methods help escalate privileges and facilitate further movement across the network.

Lateral Movement: With credentials in hand, Fog uses tools such as PsExec to move laterally within the network. PsExec enables remote execution of commands on other systems, allowing the ransomware to spread and infect more machines.

Execution and Encryption: Fog disables Windows Defender and other security tools to avoid detection. It then proceeds to encrypt files using a multi-threaded encryption routine. This routine is designed to swiftly encrypt large volumes of data, including VM storage and other critical files.

Impact: To maximize the impact and prevent recovery, Fog deletes volume shadow copies using commands like vssadmin.exe delete shadows /all /quiet. This action eliminates the possibility of restoring files from backup copies stored within the system.

Ransom Note: After encryption is complete, Fog leaves behind ransom notes on infected systems. These notes typically demand payment in cryptocurrency in exchange for decryption keys. They include instructions on how victims can contact the attackers via anonymous communication channels like Tor.

Persistence: To ensure continued access and control over infected systems, Fog may create backdoor accounts or utilize other persistence mechanisms. This allows the ransomware to maintain access for potential future attacks or ransom negotiations.

Tools and Techniques: Fog utilizes a variety of tools during its operation, including network scanners like SoftPerfect Network Scanner and Advanced Port Scanner, as well as credential extraction scripts like Veeam-Get-Creds.ps1. These tools help in reconnaissance, lateral movement, and credential theft across the network.

MITRE tactics and techniques

Initial Access

• External Remote Services (T1133)
• Valid Accounts (Compromised VPN Credentials) (T1078)
  

Discovery

• Network Service Discovery (SoftPerfect Network Scanner, Advanced Port Scanner) (T1046)
• Network Share Discovery (SharpShares) (T1135)
  

Lateral Movement

• Remote Services (T1021)
• Remote Desktop Protocol (T1021.001)
  
• SMB/Windows Admin Shares (T1021.002)
  
• Lateral Tool Transfer (PsExec) (T1570)
  

Credential Access

• OS Credential Dumping (T1003)
• NTDS (T1003.003)
  
• Credentials from Password Stores (T1555)

Credentials Manager

• Brute Force (T1110)
  
• Credential Stuffing (T1110.004)
  

Persistence

• Create Account (T1136)
• Local Account (Administrator) (T1136.001)
  

Execution

• Command and Scripting Interpreter (T1059)
• Windows Command Shell (T1059.003)
  
• System Services (T1569)
  
• Service Execution (PsExec) (T1569.002)
  

Defense Evasion

• Impair Defenses (T1562)
• Disable or Modify Tools (Windows Defender/AV) (T1562.001)
  
• Use Alternate Authentication Material (T1550)
  
• Pass the Hash (T1550.002)
  
• Valid Accounts (T1078)
  

Impact

• Data Encrypted for Impact (T1486)
• Inhibit System Recovery (T1490)
• Service Stop (T1489)

References:

• Lost in the Fog: A New Ransomware Threat
• ‘Fog’ Ransomware Rolls in to Target Education, Recreation Sectors