The new ‘Fog’ ransomware targets US education and recreation businesses. Attackers used compromised VPN credentials from two different providers to access victim environments. They employed pass-the-hash attacks on administrator accounts to create RDP connections to Windows servers running Veeam and Hyper-V.
Fog Ransomware Attacks Windows Servers
Arctic Wolf Labs began tracking the Fog ransomware variant on May 2, 2024. All victims were US-based, with 80% in education and 20% in recreation.
Attackers used compromised VPN credentials and administrator accounts to establish RDP connections to Windows servers. They used credential stuffing for easier lateral movement within the environment.
“In all cases, PsExec was deployed to multiple hosts, and RDP/SMB were used to access targeted hosts,” Arctic Wolf Labs told Cyber Security News.
“On Windows Servers the threat actors interacted with, they disabled Windows Defender.”
Threat actors erased backups from Veeam object storage and encrypted VMDK files in VM storage. They left ransom notes on compromised systems, consistently using the same functional ransomware payload. The ransom messages were similar, differing only by a unique chat code.
Researchers found no other dark web presence, such as a data leak site, aside from the .onion address for communication between the threat actors and victims.
“At this time, the organizational structure of the group or groups responsible for deploying Fog ransomware is unknown,” researchers said.
Given the short time between the initial breach and encryption, the threat actors appear more focused on quick profits than on complex attacks involving data exfiltration and high-profile leak sites.
The evidence suggests that the threat actors primarily target the education sector and are financially motivated, consistent with established victimology.
Even though these strategies are standard for ransomware activity, these threats underscore the need for defense-in-depth and secure, off-site backup infrastructure to thwart attacks promptly.
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| f7c8c60172f9ae4dab9f61c28ccae7084da90a06 | SHA1 | Fog ransomware binary (lck.exe) |
| 507b26054319ff31f275ba44ddc9d2b5037bd295 | SHA1 | Fog ransomware binary (locker_out.exe) |
| e1fb7d15408988df39a80b8939972f7843f0e785 | SHA1 | Fog ransomware binary (fs.exe) |
| 83f00af43df650fda2c5b4a04a7b31790a8ad4cf | SHA1 | Fog ransomware binary (locker_out.exe) |
| 44a76b9546427627a8d88a650c1bed3f1cc0278c | SHA1 | Fog ransomware binary (mon.dll) |
| eeafa71946e81d8fe5ebf6be53e83a84dcca50ba | SHA1 | PsExec (psexesvc.exe) |
| 763499b37aacd317e7d2f512872f9ed719aacae1 | SHA1 | Advanced Port Scanner (advanced_port_scanner.exe) |
| 3477a173e2c1005a81d042802ab0f22cc12a4d55 | SHA1 | Advanced Port Scanner (advanced_port_scanner_2.5.3869.exe) |
| 90be89524b72f330e49017a11e7b8a257f975e9a | SHA1 | SharpShares (sharpshares(1).exe) |
| DESKTOP-7G1IC87 | Hostname | Threat actor’s hostname |
| Kali | Hostname | Threat actor’s hostname |
| VPS65CCB8B75352 | Hostname | Threat actor’s hostname |
| PACKERP-VUDV41R | Hostname | Threat actor’s hostname |
| readme.txt | Filename | Ransom note |
| DBgLog.sys | Filename | Log file created by ransomware binary |
| Veeam-Get-Creds.ps1 | Filename | PowerShell script used to obtain passwords from Veeam Backup and Replication Credentials Manager |
| PSEXESVC.exe | Filename | PsExec |
| netscan.exe | Filename | SoftPerfect Network Scanner |
| .flocked | File Extension | Appended file extension to encrypted files |
| .fog | File Extension | Appended file extension to encrypted files |
| 5.230.33[.]176 | IP Address | IP address used by the threat actor to login to VPN appliance |
| 77.247.126[.]200 | IP Address | IP address used by the threat actor to login to VPN appliance |
| 107.161.50[.]26 | IP Address | IP address used by the threat actor to login to VPN appliance |
Leave A Comment