Discover how Fog ransomware exploits VPNs to breach U.S. schools, using advanced techniques and double-extortion tactics to demand hefty ransoms.

Continue reading
The Fog ransomware operation emerged in early May 2024, targeting educational institutions in the U.S. Arctic Wolf Labs discovered the operation, noting its use of compromised VPN credentials for network breaches. Though not initially observed stealing data, Fog ransomware uses double-extortion tactics, leveraging stolen data to pressure victims into paying ransoms.
Fog operators gain initial access via compromised VPN credentials from two different VPN gateway vendors. This access method is crucial for infiltrating victim networks. Forensic evidence from Arctic Wolf Labs indicates threat actors accessed environments by leveraging these compromised credentials, with the last known activity on May 23, 2024.
After gaining access, Fog operators employ "pass-the-hash" attacks on administrator accounts to establish RDP connections to Windows servers running Hyper-V. In other instances, credential stuffing is used to hijack valuable accounts. PsExec is then deployed across multiple hosts to facilitate further penetration.
On Windows servers, Fog operators disable Windows Defender to prevent detection and alerts. This step is crucial to avoid early detection and ensure successful encryption of files.
The ransomware gathers system information via Windows API calls, such as the number of logical processors. This data is used to allocate threads for a multi-threaded encryption routine. The ransomware terminates a list of processes and services from a hardcoded configuration before starting encryption.
Fog ransomware targets VMDK files in VM storage, deletes backups from Veeam, and removes Windows volume shadow copies to hinder recovery. Encrypted files are appended with the '.FOG' or '.FLOCKED' extension, configurable via a JSON-based configuration block.
A ransom note named "readme.txt" is created in impacted directories, providing payment instructions. The note includes a link to a Tor dark website for negotiation, featuring a basic chat interface for victims to discuss ransom demands and view stolen files.
The Tor site is used for both '.FOG' and '.FLOCKED' extensions. In observed attacks, ransom demands ranged from hundreds of thousands of dollars, potentially higher for larger organizations.
The Fog encryptor binary exhibits common techniques seen in other ransomware variants. It creates a log file, `DbgLog.sys`, in the `%AppData%` directory, documenting status and error conditions during execution.
During initialization, the ransomware references `NTDLL.DLL` and the `NtQuerySystemInformation` function to gather system information, particularly the number of logical processors. This step is vital for configuring the encryption thread pool.
The ransomware checks for specific command line arguments:
The ransomware uses a JSON-based configuration block for customization, including:
Using gathered system information, the ransomware configures a thread pool for file encryption. It uses deprecated Windows APIs `CryptImportKey` and `CryptEncrypt` during the process. After encryption, it appends the configured file extension and creates the ransom note.
The ransomware deletes volume shadow copies using the command: ```shell vssadmin.exe delete shadows /all /quiet ``` This ensures that all shadow copies are deleted silently, preventing recovery.
PsExec allows execution of processes on other systems with full interactivity for console applications. Fog operators use PsExec for lateral movement and command execution.
Metasploit is a penetration testing framework. Its use was detected against a Veaam server in Fog ransomware attacks.
A network administration tool used to discover network services.
A free network and port scanner used to identify network services.
An open-source tool for enumerating accessible network shares, used by Fog operators to discover network shares.
An open-source PowerShell script used to obtain passwords from the Veeam Backup and Replication Credentials Manager.
The `Veeam-Get-Creds.ps1` script includes specific strings:
Detecting these strings in PowerShell script block logging can identify the use of this tool.
Arctic Wolf has implemented threat intelligence
, continuous network monitoring, and advanced logging to detect and respond to Fog ransomware attacks. Detection opportunities lie in identifying abnormal network activities, especially those involving VPN gateways and administrative account logins.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation