Fog Ransomware Targets Windows Servers Admins for RDP Logins

Home/Exploitation, Internet Security, Malware, Ransomware, Security Advisory, Security Update, windows/Fog Ransomware Targets Windows Servers Admins for RDP Logins

Fog Ransomware Targets Windows Servers Admins for RDP Logins

The new ‘Fog’ ransomware targets US education and recreation businesses. Attackers used compromised VPN credentials from two different providers to access victim environments. They employed pass-the-hash attacks on administrator accounts to create RDP connections to Windows servers running Veeam and Hyper-V.

Fog Ransomware Attacks Windows Servers

Arctic Wolf Labs began tracking the Fog ransomware variant on May 2, 2024. All victims were US-based, with 80% in education and 20% in recreation.

Attackers used compromised VPN credentials and administrator accounts to establish RDP connections to Windows servers. They used credential stuffing for easier lateral movement within the environment.

“In all cases, PsExec was deployed to multiple hosts, and RDP/SMB were used to access targeted hosts,” Arctic Wolf Labs told Cyber Security News.

“On Windows Servers the threat actors interacted with, they disabled Windows Defender.”

Threat actors erased backups from Veeam object storage and encrypted VMDK files in VM storage. They left ransom notes on compromised systems, consistently using the same functional ransomware payload. The ransom messages were similar, differing only by a unique chat code.

Researchers found no other dark web presence, such as a data leak site, aside from the .onion address for communication between the threat actors and victims.

“At this time, the organizational structure of the group or groups responsible for deploying Fog ransomware is unknown,” researchers said.

Given the short time between the initial breach and encryption, the threat actors appear more focused on quick profits than on complex attacks involving data exfiltration and high-profile leak sites.

The evidence suggests that the threat actors primarily target the education sector and are financially motivated, consistent with established victimology.

Even though these strategies are standard for ransomware activity, these threats underscore the need for defense-in-depth and secure, off-site backup infrastructure to thwart attacks promptly.

Indicators of Compromise (IoCs)

IndicatorTypeDescription
f7c8c60172f9ae4dab9f61c28ccae7084da90a06SHA1Fog ransomware binary (lck.exe)
507b26054319ff31f275ba44ddc9d2b5037bd295SHA1Fog ransomware binary (locker_out.exe)
e1fb7d15408988df39a80b8939972f7843f0e785SHA1Fog ransomware binary (fs.exe)
83f00af43df650fda2c5b4a04a7b31790a8ad4cfSHA1Fog ransomware binary (locker_out.exe)
44a76b9546427627a8d88a650c1bed3f1cc0278cSHA1Fog ransomware binary (mon.dll)
eeafa71946e81d8fe5ebf6be53e83a84dcca50baSHA1PsExec (psexesvc.exe)
763499b37aacd317e7d2f512872f9ed719aacae1SHA1Advanced Port Scanner (advanced_port_scanner.exe)
3477a173e2c1005a81d042802ab0f22cc12a4d55SHA1Advanced Port Scanner (advanced_port_scanner_2.5.3869.exe)
90be89524b72f330e49017a11e7b8a257f975e9aSHA1SharpShares (sharpshares(1).exe)
DESKTOP-7G1IC87HostnameThreat actor’s hostname
KaliHostnameThreat actor’s hostname
VPS65CCB8B75352HostnameThreat actor’s hostname
PACKERP-VUDV41RHostnameThreat actor’s hostname
readme.txtFilenameRansom note
DBgLog.sysFilenameLog file created by ransomware binary
Veeam-Get-Creds.ps1FilenamePowerShell script used to obtain passwords from Veeam Backup and Replication Credentials Manager
PSEXESVC.exeFilenamePsExec
netscan.exeFilenameSoftPerfect Network Scanner
.flockedFile ExtensionAppended file extension to encrypted files
.fogFile ExtensionAppended file extension to encrypted files
5.230.33[.]176IP AddressIP address used by the threat actor to login to VPN appliance
77.247.126[.]200IP AddressIP address used by the threat actor to login to VPN appliance
107.161.50[.]26IP AddressIP address used by the threat actor to login to VPN appliance
By | 2024-08-21T22:43:43+05:30 June 6th, 2024|Exploitation, Internet Security, Malware, Ransomware, Security Advisory, Security Update, windows|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!