A new ransomware variant called Fog has emerged as a significant threat to educational and recreation organizations across the United States.
Starting in early May 2024, Arctic Wolf Labs began monitoring its deployment across multiple incident response cases, with 80 percent of affected organizations operating in the education sector while 20 percent were in recreation.
The ransomware activity has been observed in several cases, each showing similar attack patterns and procedures. All victims were located within the United States, indicating a geographically focused campaign.
The Fog ransomware operates as a variant rather than a distinct group, representing a crucial distinction between the software creators and those conducting the actual attacks.
This separation matters because ransomware groups often appear as single entities when they actually comprise multiple independent affiliate teams.
The organizational structure behind Fog remains unclear at this time, though evidence suggests coordinated activity among threat actors.
The last documented attack activity in investigated cases occurred on May 23, 2024, providing a clear timeline for defensive measures.
Arctic Wolf analysts identified the malware after the second paragraph when they began investigating these cases in early May.
The research team noted that in each investigated case, forensic evidence indicated threat actors gained access to victim environments by leveraging compromised VPN credentials through two separate VPN gateway vendors.
This access method became the primary entry point for the campaign, highlighting vulnerabilities in remote access security postures.
Attack Methodology and Infection Mechanisms
Once inside networks, threat actors deployed a multi-stage approach combining common penetration testing tactics with ransomware deployment.
Pass-the-hash activity targeted administrator accounts, which were then used to establish RDP connections to Windows Servers running Hyper-V and Veeam backup systems. In another case, credential stuffing facilitated lateral movement throughout the environment.
PsExec was deployed across multiple hosts, while RDP and SMB protocols provided access to targeted systems. Before encryption began, Windows Defender was disabled on affected servers, removing a critical defense layer.
The ransomware payload exhibits techniques common to other variants, with samples from different cases containing identical code blocks. When executed, the sample creates a file called DbgLog.sys in the %AppData% directory to log activity status.
The initialization routine references NTDLL.DLL and the NtQuerySystemInformation function to gather system information for thread allocation.
Command line options include NOMUTEX for concurrent execution, TARGET for specific discovery locations, and CONSOLE for output display.
A JSON configuration block controls encryption activities, including the RSA public key, file extensions (typically .FOG or .FLOCKED), ransom note names, and service shutdown procedures.
File discovery uses standard Windows APIs like FindFirstVolume and FindFirstFile, employing Unicode variants throughout.
The encryption process utilizes a thread pool scaled to system processors, ranging from two to sixteen, implementing CryptImportKey and CryptEncrypt functions before renaming files with configured extensions and writing ransom notes.
Finally, vssadmin.exe executes with delete shadows /all /quiet commands to remove volume shadow copies, eliminating backup recovery options.
| Tool Name | Description |
|---|---|
| PsExec | Enables threat actors to execute processes on other systems with full interactivity for console applications, used for lateral movement and command execution |
| Metasploit | Penetration testing framework detected against Veeam servers during reconnaissance |
| SoftPerfect Network Scanner | Network administration tool used to discover network services across targeted environments |
| Advanced Port Scanner | Free network and port scanning utility deployed to identify accessible network services |
| SharpShares v2.3 | Open-source tool used to enumerate and discover accessible network shares |
| Veeam-Get-Creds.ps1 | PowerShell script designed to extract passwords from Veeam Backup and Replication Credentials Manager |
Organizations should prioritize securing VPN infrastructure, implementing multi-factor authentication, maintaining secure off-site backup systems, and deploying defense-in-depth strategies.
The threat actors demonstrated financial motivation with rapid encryption timelines and no observed data exfiltration, suggesting quick-payout intentions rather than complex extortion schemes involving public leak sites.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
