Fog Ransomware Attacking Windows Servers Administrators To Steal RDP Logins

A new ransomware variant dubbed ‘Fog’ has been spotted targeting US businesses in the education and recreation sectors.

Forensic data revealed that threat actors accessed victim environments using compromised VPN credentials. Notably, two different VPN gateway providers were used for the remote access. 

Pass-the-hash activity against administrator accounts was also detected, and these accounts were then used to create RDP connections to Windows servers running Veeam and Hyper-V.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Fog Ransomware Attacking Windows Servers

Arctic Wolf Labs started tracking the spread of a Fog ransomware variant on May 2, 2024. Every victim organization was based in the US, with 80% of them working in the field of education and 20% in the field of recreation.

Threat actors gained access to victim environments by using compromised VPN credentials and administrator accounts, which they then used to establish RDP connections to Windows Servers.

Credential stuffing was evident, which was supposed to allow for easier lateral movement around the environment. 

“In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts,” Arctic Wolf Labs shared with Cyber Security News.

“On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors.”

Threat actors were seen erasing backups from Veeam object storage and encrypting VMDK files in VM storage.

Threat actors left ransom notes on compromised systems, and they always used the same functional ransomware payload. Aside from a unique chat code, the ransom messages were similar.

Apart from the.onion address utilized for communication between the threat actor and the victim, researchers said they had not encountered any other dark web presence, like a website that leaks data.

“At this time, the organizational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown,” researchers said.

Given the short time lag between the initial breach and encryption, the threat actors seem more focused on making a quick profit than launching a more complex attack that involves data exfiltration and a high-profile leak site.

The evidence implies that the threat actors are largely focused on the education sector and have financial motivations, which is in line with established victimology.

Even if the strategies used in these situations are pretty standard for ransomware activity, these threats should serve as a reminder of the need for defense-in-depth and secure, off-site backup infrastructure to thwart attacks as soon as possible.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo