Lost in the Fog: A New Ransomware Threat

On May 2, 2024, Arctic Wolf Labs began monitoring a new ransomware variant named Fog, which has swiftly become a significant threat. This new malware variant has been implicated in several incidents, primarily targeting educational and recreational organizations across the United States.

What is Fog Ransomware?
Fog is a ransomware variant that has emerged as a formidable adversary. Unlike some ransomware operations that project a unified front, Fog represents a tool used by various independent affiliate groups. These groups leverage the ransomware to carry out their attacks, making it challenging to pinpoint a single entity behind the threats.

Attack Vector and Methodology
In the cases investigated, threat actors gained access to victim systems through compromised VPN credentials, utilizing two separate VPN gateway vendors. The attackers exploited these credentials to infiltrate networks, conduct lateral movements, and deploy the ransomware payload.

Key observations from the attack patterns include:

Pass-the-Hash Activity: Attackers used this technique against administrator accounts to establish Remote Desktop Protocol (RDP) connections to critical Windows Servers.
Credential Stuffing: This method facilitated lateral movement across the environment, allowing attackers to spread the ransomware.
PsExec and RDP/SMB Usage: These tools were deployed to access and control various hosts within the victim network.
Disabling Windows Defender: On compromised Windows Servers, attackers disabled security defenses before encrypting files and deleting backups.
The attackers left behind ransom notes with a unique chat code for each incident, but otherwise, the notes were identical, indicating a standardized operation.

Ransomware Payload Analysis
The Fog ransomware payload exhibits many common techniques found in other ransomware variants, highlighting its sophisticated design:

Initialization and Logging: The ransomware creates a log file to track its execution status and errors.
System Information Gathering: It references system APIs to gather details about the physical environment, optimizing its encryption process.
Customization via JSON Configuration: The ransomware uses a JSON-based configuration to control its activities, including RSA public key encryption, file extension settings, and the creation of ransom notes.
Volume and File Discovery: It uses standard Windows APIs to identify volumes, network resources, and files to encrypt.
Multi-threaded Encryption: Utilizing the system's logical processors, the ransomware efficiently encrypts files across multiple threads.
Deletion of Volume Shadow Copies: To hinder recovery efforts, Fog deletes shadow copies of volumes using system commands.
Impact and Mitigation
Fog ransomware's rapid adaptation and advanced evasion techniques pose a severe threat to targeted sectors. The malware's ability to bypass security measures, disable defenses, and systematically encrypt crucial data highlights the need for robust cybersecurity strategies.

Organizations are urged to:

Regularly Update and Patch Systems: Ensure that all VPNs, servers, and endpoints are up-to-date with the latest security patches.
Enhance Access Controls: Implement multi-factor authentication (MFA) and strict access controls to protect against unauthorized access.
Backup Data Regularly: Maintain secure, offline backups of critical data to facilitate recovery in the event of an attack.
Monitor for Unusual Activity: Employ advanced threat detection systems to identify and respond to suspicious activities promptly.
As Fog continues to evolve, staying informed and prepared is crucial. Arctic Wolf Labs remains vigilant, investigating new developments and providing updates to help organizations defend against this emerging threat.

Stay ahead of the fog – prioritize cybersecurity and protect your organization from the evolving landscape of ransomware threats.