A new ransomware group [1] [3], known as “Fog,” has recently emerged, targeting organizations in the education and recreation sectors in the United States [2].
Description
Researchers at Arctic Wolf Labs have identified Fog as using compromised VPN credentials to gain initial access and employing tactics like pass-the-hash and credential stuffing for lateral movement within networks. The group disables Windows Defender, encrypts data in virtual environments [1] [3], and deletes backups to prevent recovery. Fog’s ransomware encryptor binary utilizes common techniques and a JSON-based configuration block for customization [2]. While Fog does not exfiltrate data [1], it focuses on quick payouts by encrypting VMDK files. The group has exploited vulnerabilities in VPN gateway vendors and utilizes tools like Metasploit and PsExec for their attacks [1]. Education organizations [1] [2], in particular [1], are at risk due to limited cybersecurity resources [1]. Employees are advised to carefully manage their credentials to prevent lateral movement by threat actors [1]. Fog communicates with victims using Tor and has targeted organizations in the US, with 80% of reported attacks in the education sector and the remaining in the recreation industry [3]. Fog does not engage in double or triple extortion and has not operated leak sites thus far.
Conclusion
Organizations in the education and recreation sectors in the United States are at risk of being targeted by the Fog ransomware group. It is crucial for employees to manage their credentials carefully to prevent lateral movement by threat actors [1]. The use of compromised VPN credentials and tactics like pass-the-hash and credential stuffing highlight the importance of strong cybersecurity measures. Moving forward, organizations should prioritize cybersecurity resources to protect against ransomware attacks like those carried out by Fog.
References
[1] https://www.darkreading.com/threat-intelligence/fog-ransomware-rolls-in-to-target-education-recreation-sectors
[2] https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/
[3] https://innovatopia.jp/cyber-security/cyber-security-news/29147/