22. 3. 2023
A new ransomware variant, dubbed "Fog," has emerged, posing a significant threat to remote workers. Discovered by Arctic Wolf Labs, Fog has been actively targeting organizations in the United States, particularly within the education and recreation sectors. The ransomware attacks were first observed in May 2024 and were publicly announced in June.
Details of the Fog Ransomware
Fog ransomware is characterized by its sophisticated attack methods, including the use of compromised VPN credentials to infiltrate victim environments. Attackers employed techniques such as pass-the-hash, credential stuffing, and the deployment of PsExec to multiple hosts. The ransomware also utilized RDP/SMB for host access and disabled Windows Defender on Windows servers.
One of the unique aspects of Fog is its focus on rapid encryption of VM storage data without exfiltrating information. The attackers demand ransom payments for decryption, with encrypted files marked by extensions like .FOG and .FLOCKED. The ransomware includes a JSON-based configuration block that manages pre- and post-encryption activities using an embedded public key.
Quick Timeline of the Incident
May 2, 2024: Arctic Wolf Labs begins monitoring the deployment of the Fog ransomware variant.
May 2024: Multiple incident response cases reveal the use of Fog in targeting organizations.
June 2024: Public announcement and warning issued by Arctic Wolf Labs.
Impact and Response
The emergence of Fog ransomware underscores the increasing complexity and frequency of ransomware attacks, particularly those targeting remote work environments. Organizations are urged to bolster their cybersecurity defenses, particularly by securing VPN access and monitoring for unusual activity.
To protect against such threats, experts recommend implementing robust security measures, including the use of sandboxed browsers, NIST password standards, and email filters. Continuous monitoring and regular updates to security protocols are essential to mitigate the risks posed by advanced ransomware variants like Fog.
For the full news, visit Cyber Magazine and Arctic Wolf.