Afiq Sam - stock.adobe.com
Fog ransomware crew evolving into wide-ranging threat
The emergent Fog ransomware gang appears to be changing up its victimology in search of more cash-rich victims
The Fog ransomware crew has been observed ramping up attack volumes and targeting new, more lucrative verticals in the never-ending search for a pay-out, and may be on its way to becoming one of the more high-profile cyber crime organisations, according to intelligence published by incident responders at Adlumin.
Last month, the Adlumin incident responce team helped an unnamed, mid-sized US financial services company through an attempted – and fortunately thwarted – Fog ransomware attack, which targeted its data on endpoints running both Windows and Linux.
The incident came to naught thanks to Adlumin’s technology, which incorporates “decoy” files, used to detect ransomware activity in a network prior to execution. The affected machines were isolated and the attackers were locked out in minutes.
Adlumin senior director of managed detection and response Will Ledesma said the attack was somewhat noteworthy as targeting a financial services company marked a departure from the Fog crew’s traditional victim profile.
“The Fog Ransomware group, which has historically been observed only attacking organisations in the education and recreational sectors, is now pursuing more lucrative targets in the financial services sector,” he wrote.
A variant of the STOP/DJVU ransomware family dating back approximately three years, Fog tends to begin its attacks using compromised VPN credentials to breach network defences. Once inside a victim environment, it uses techniques such as pass-the-hash attacks to elevate its privileges to admin level.
The gang also performs a series of actions intended to take out cyber defences, including turning off protections, encrypting critical files, such as virtual machine disks (VMDKs) early on, and deleting backups to prevent recovery. It typically appends encrypted files with extensions .FOG or .FLOCKED, and like most other gangs, uses Tor to negotiate with victims.
Read more about ransomware
- We talk to NetApp’s Chris McKean about ransomware attacks and the role of data storage in protecting against them.
- Sophos X-Ops caught the Qilin ransomware gang stealing credentials stored by victims' employees in Google Chrome, heralding further cyber attacks and breaches down the line.
- The Royal ransomware gang is back, with a new name and refreshed capabilities, including an apparently unique ‘partial encryption’ gambit, according to CISA.
Ledesma said there was currently a lack of direct attribution to other established threat actors, suggesting that Fog likely originates from a new and highly skilled group.
In the incident to which Adlumin responded, the investigation team was able to trace the infiltration to an unprotected system with IP addresses originating in Moscow, although this may not necessarily prove its provenance.
Other researchers monitoring Fog include the team at Arctic Wolf, which observed a remarkably short duration between initial intrusion and encryption, which diverges from common practice in most ransomware scenarios.
In an analysis published in early June, the Arctic Wolf team said “the threat actors appear more interested in a quick pay-out as opposed to exacting a more complex attack involving data exfiltration and a high-profile leak site”, although it should be noted that the gang does operate a leak site.
Arctic Wolf’s observation nevertheless appears to track with Adlumin’s theory that the crew is now hunting more cash-rich targets – having earlier specialised in attacking schools and colleges.
As such, it behoves defenders at corporate enterprises to pay attention to the growing threat posed by Fog, and in particular to focus on maintaining secure, off-site backup infrastructure in addition to standard defence-in-depth policies.
Ledesma’s full write-up for Adlumin, including more in-depth advice on detection and remediation, can be found here.
