Cyber Attack

Fog Ransomware Attacking Windows Servers Administrators To Steal RDP Logins

A new ransomware variant dubbed ‘Fog’ has been spotted targeting US businesses in the education and recreation sectors.

Forensic data revealed that threat actors accessed victim environments using compromised VPN credentials. Notably, two different VPN gateway providers were used for the remote access. 

Pass-the-hash activity against administrator accounts was also detected, and these accounts were then used to create RDP connections to Windows servers running Veeam and Hyper-V.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Fog Ransomware Attacking Windows Servers

Arctic Wolf Labs started tracking the spread of a Fog ransomware variant on May 2, 2024. Every victim organization was based in the US, with 80% of them working in the field of education and 20% in the field of recreation.

Threat actors gained access to victim environments by using compromised VPN credentials and administrator accounts, which they then used to establish RDP connections to Windows Servers.

Credential stuffing was evident, which was supposed to allow for easier lateral movement around the environment. 

“In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts,” Arctic Wolf Labs shared with Cyber Security News.

“On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors.”

Threat actors were seen erasing backups from Veeam object storage and encrypting VMDK files in VM storage.

Threat actors left ransom notes on compromised systems, and they always used the same functional ransomware payload. Aside from a unique chat code, the ransom messages were similar.

Apart from the.onion address utilized for communication between the threat actor and the victim, researchers said they had not encountered any other dark web presence, like a website that leaks data.

“At this time, the organizational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown,” researchers said.

Given the short time lag between the initial breach and encryption, the threat actors seem more focused on making a quick profit than launching a more complex attack that involves data exfiltration and a high-profile leak site.

The evidence implies that the threat actors are largely focused on the education sector and have financial motivations, which is in line with established victimology.

Even if the strategies used in these situations are pretty standard for ransomware activity, these threats should serve as a reminder of the need for defense-in-depth and secure, off-site backup infrastructure to thwart attacks as soon as possible.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Raga Varshini

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago