Arctic Wolf Labs has uncovered a new ransomware variant dubbed “Fog” striking US organizations, primarily in education and recreation, through hijacked VPN access.
First spotted on May 2, 2024, the attacks highlight vulnerabilities in remote access tools and the rapid encryption tactics used to exploit them.
Arctic Wolf’s Incident Response team investigated multiple cases starting early May 2024, all involving US victims: 80% education sector, 20% recreation sector.
Threat actors gained entry using compromised VPN credentials from two unnamed vendors, with the last activity logged on May 23, 2024.
Unlike typical ransomware groups, Fog is termed a “variant” to separate encryptor developers from operators, whose structure remains unclear.
Attack Chain and Tactics
Intruders quickly escalated privileges. In one case, pass-the-hash targeted admin accounts for RDP to Hyper-V and Veeam servers.
Credential stuffing aided lateral movement elsewhere. PsExec spread to hosts, with RDP and SMB for access. Windows Defender was disabled on servers; VMDK files in VM storage encrypted; Veeam object storage backups deleted.
Ransom notes dropped on systems featured identical text save unique chat codes, linking to a .onion site no data leak site observed. Extensions .FOG or .FLOCKED marked encrypted files.
The encryptor shares code blocks across samples, suggesting common source. It logs to DbgLog.sys in %AppData%, queries system info via NtQuerySystemInformation for thread allocation (2-16 processors).
JSON config dictates RSAPubKey, LockedExt, note name (readme.txt), processes/services to kill pre-encryption.
Discovery uses Windows API like FindFirstVolume. Encryption employs deprecated CryptImportKey/CryptEncrypt. Post-encryption: vssadmin delete shadows /all /quiet wipes shadow copies.
| Tactic | Technique | Tools/Sub-techniques |
|---|---|---|
| Initial Access | T1133 External Remote Services, T1078 Valid Accounts | Compromised VPN credentials arcticwolf |
| Discovery | T1046 Network Service Discovery, T1135 Network Share Discovery | SoftPerfect Network Scanner, Advanced Port Scanner, SharpShares arcticwolf |
| Lateral Movement | T1021 Remote Services (RDP/SMB), T1570 Lateral Tool Transfer | PsExec arcticwolf |
| Credential Access | T1003 OS Credential Dumping (NTDS), T1555 Password Stores, T1110 Brute Force | Veeam-Get-Creds.ps1, credential stuffing arcticwolf |
| Defense Evasion | T1562 Impair Defenses (Windows Defender), T1550 Pass the Hash arcticwolf | |
| Impact | T1486 Data Encrypted, T1490 Inhibit Recovery (vssadmin) arcticwolf |
Indicators of Compromise
| Type | Indicator |
|---|---|
| SHA1 | f7c8c60172f9ae4dab9f61c28ccae7084da90a06 (lck.exe)arcticwolf |
| SHA1 | 507b26054319ff31f275ba44ddc9d2b5037bd295 (locker_out.exe)arcticwolf |
| IP | 5.230.33[.]176 (VPN login)arcticwolf |
| Filename | readme.txt, DbgLog.sys, Veeam-Get-Creds.ps1arcticwolf |
| Extension | .flocked, .fogarcticwolf |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.