Fog Ransomware: A New Threat Emerges for Education and Recreation Sectors

• Arctic Wolf Labs uncovers “Fog” ransomware, targeting US education and recreation sectors, exploiting compromised VPN credentials and employing sophisticated encryption techniques.
• Fog ransomware demands large ransom payments, encrypts virtual storage data, and requires organizations to strengthen cybersecurity defenses and maintain secure backups.

Arctic Wolf Labs recently identified “Fog,” an advanced ransomware variant targeting organizations within the education and recreation sectors in the US. This variant came to light following several incident response cases reported during May before being made publically known in June, raising serious alarm due to the intricate nature of these attacks.

Fog ransomware typically infiltrates victim networks using compromised VPN credentials stolen by attackers who exploit vulnerabilities found in two different VPN gateway vendors’ remote access systems. By exploiting stolen credentials, attackers gain unauthorized entry.

Once in, attackers employ various techniques, including Pass-the-hash activity, Credential stuffing and Deployment of PsExec across multiple systems. RDP/SMB protocols were utilized to gain entry and disable Windows Defender on servers to maintain their position within a network. Working of Fog Ransomware Fog ransomware operates via JSON-based configuration blocks to orchestrate activities pre and post encryption – as it deploys PsExec before disabling Defender on servers as well as query system files volumes resources prior to commencing encryption processes systematically before proceeding further with encryption activities.

Fog ransomware attacks Virtual Machine storage files (VMDK files), Veeam object storage backups and Windows volume shadow copies; employs an embedded public key for encryption; appends unique file extensions like “.FOG and “FLOCKED”, but unlike many other ransomware types it does not engage in exfiltration; rather it quickly encrypts virtual storage data to demand ransoms to decrypt its encryption.

Fog ransomware employs several well-established techniques in its encryption binary. First, it creates a log file known as DbgLog.sys in the %AppData% directory before gathering system information with NtQuerySystemInformation function such as number of logical processors to enhance encryption efficiency. Furthermore, older Windows APIs like CryptImportKey and CryptEncrypt are utilized during encryption itself for maximum efficiency; once completed attackers leave behind ransom note(readme.txt), detailing how to contact them in order to gain decryption keys for decryption keys for decryption keys for decryption of encrypted data.

An analysis of these ransom notes indicates that Fog ransomware demands ransom payments of hundreds of thousands of dollars from organizations, in return for decryption keys and assurances of data deletion. Education and recreation sectors should prioritize strengthening their cybersecurity defenses through implementation of robust security measures, protecting VPN credentials properly, maintaining up-to-date secure backups as a defense mechanism against ransomware attacks and mitigating the potential impact.