Fog Ransomware Emerges as Major Threat to U.S. Schools and Recreation Centers

Warning of an emerging ransomware threat tracked as "Fog," as reported by Arctic Wolf Labs, which first encountered the ransomware variant on May 2, 2024, with the most recent threat activity noted on May 23. All impacted organizations were located in the United States, primarily within the education and recreation sectors, with a significant majority—80% of the victims—observed in Arctic Wolf's research. Given the revelation of the ransomware strain, researchers are careful to describe Fog as a ransomware variant rather than a group, accounting for the varied nature of ransomware operations which can include the collaboration of possibly independent affiliate groups, rather than a single entity orchestrating these attacks.

The operational tactics of Fog ransomware typically begin with initial access gained through compromised VPN credentials. Arctic Wolf has noted instances involving two different VPN gateway vendors. Various forensic investigations have unveiled multiple attack techniques, including 'pass-the-hash' activities targeting administrator accounts, which facilitated unauthorized RDP connections to critical servers. Another method observed was credential stuffing, used to set up lateral movements. A commonality identified in all cases was the deployment of PsExec to several hosts, with RDP/SMB used to access targeted hosts, as reported by Arctic Wolf researchers. In attacks specifically targeting Windows Servers, operators disabled security monitoring capabilities with Windows Defender and tampered with VM storage files—.VMDK, and removed backups from Veeam to complicate recovery efforts. Additional tactics, techniques, and procedures (TTPs) attributed to Fog include the use of external reconnaissance tools such as Advanced Port Scanner and SoftPerfect Network Scanner, abusing NTDS for credential access, gathering Veeam credentials via a PowerShell script, and achieving persistence through the creation of new user accounts.

Arctic Wolf’s examination of the Fog ransomware revealed a range of capabilities designed to maximize impact and resist mitigation efforts. It employs dynamic API loading and custom obfuscation to evade detection while executing a sophisticated encryption routine that leverages the system’s logical processors. This routine is supported by a JSON-based configuration block that dictates the malware’s operations, from process termination to the management of encrypted files, which are typically appended with '.FOG' or '.FLOCKED' extensions. The ransom notes, consistent across attacks, instruct victims on payment methods to restore access to their data. "Other than a unique chat code, the ransom notes were identical. Other than the .onion address used for communication between the victim and threat actor, we have not observed an additional dark web presence such as a data leak site," reports Arctic Labs.

Interestingly, the operators were not observed to have exfiltrated data; instead, their focus was on encrypting data to demand ransom. "Considering the short duration between the initial intrusion and encryption, the threat actors appear more interested in a quick payout rather than executing a more complex attack involving data exfiltration and a high-profile leak site." Currently, Fog does not possess its own extortion portal to extort victims, and according to Arctic Wolf's analysis, "the threat actors were not observed to exfiltrate data from hosts being encrypted." However, insights from BleepingComputer "confirm" that the operators have stolen data and utilize the afforded leverage to extort victims in double-extortion attacks. Nonetheless, Fog ransomware operators have demonstrated proficiency in their attacks, targeting a crucial sector; their focus on US-based entities identifies this operation as a concerning emerging threat