Arctic Wolf Labs has identified a new, sophisticated ransomware variant named “Fog,” which has been aggressively targeting organizations in the United States, particularly within the education and recreation sectors. This variant came to light following several incident response cases in May and was publicly disclosed in June, raising considerable concerns due to the intricate nature of the attacks.
Fog ransomware typically infiltrates victim networks using compromised VPN credentials, exploiting vulnerabilities in remote access systems from two different VPN gateway vendors. The attackers gain unauthorized access by leveraging stolen VPN credentials.
Once inside the network, the attackers employ various techniques, including: Pass-the-hash activity, Credential stuffing,
and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold.
and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold.
Working of Fog Ransomware
Fog ransomware operates using a JSON-based configuration block that orchestrates activities both pre- and post-encryption. They deploy PsExec, disable Windows Defender, and systematically query system files, volumes, and network resources before commencing the encryption.
Additionally, Fog ransomware targets VMDK files in Virtual Machine storage, deletes backups from Veeam object storage, and Windows volume shadow copies. It employs an embedded public key
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: