Fog ransomware, a variant from the STOP/DJVU family, has recently shifted its focus from educational and recreational sectors to more profitable targets in the finance industry. Initially detected in 2021, Fog ransomware gained attention for its use of compromised VPN credentials to infiltrate networks. In August 2024, threat actors used these credentials to launch a targeted attack against a mid-sized financial institution. Once inside the network, the ransomware sought to encrypt sensitive data on endpoints running both Windows and Linux operating systems, threatening to disrupt the institution’s operations.
Fog ransomware is particularly dangerous due to its sophisticated tactics and ability to escalate privileges within a compromised network. It typically employs pass-the-hash attacks to gain administrative access, allowing it to disable security features and begin encrypting critical files, including Virtual Machine Disks (VMDKs). The ransomware also deletes backup data, leaving victims with no option other than to pay the ransom. Files encrypted by Fog usually carry extensions like “.FOG” or “.FLOCKED,” and a ransom message is displayed on the compromised endpoints, directing victims to a Tor-based negotiation platform.
The attackers behind this campaign used a variety of tools to carry out their reconnaissance and lateral movement across the network. They initiated the attack by conducting network discovery through pinging different destinations and using ‘Advanced_Port_Scanner_2.5.3869(1).exe’ to scan for vulnerable hosts. By leveraging compromised service accounts, the attackers moved laterally within the network, backing up login information and encrypted credentials from various endpoints using the Microsoft utility “esentutl.exe.” The ransomware was spread through the “locker.exe” tool, which encrypted files, and attackers ensured that system shadow copies were deleted to prevent recovery.
Adlumin’s advanced Ransomware Prevention technology played a key role in stopping the attack, isolating compromised devices and halting data theft. The platform uses decoy files as sensors to detect ransomware activity within the network, preventing further damage. To protect against similar attacks, experts recommend organizations implement multi-factor authentication (MFA), keep VPN software updated, monitor VPN access, and isolate impacted endpoints. Additionally, applying the principle of least privilege, backing up essential data, and having a comprehensive incident response plan are crucial steps to minimize the risks of ransomware attacks like Fog.
Reference:
