N-able

Solutions pour les MSP et les équipes informatiques

Résilience cyber
Sécurité

Fog Ransomware Now Targeting the Financial Sector

By N‑able

septembre 5th, 2024 7 mins

Content

The Fog Ransomware Network Discovery Lateral Movement Credential Harvesting Execution
In early August 2024, threat actors launched a ransomware attack on a mid-sized financial business using compromised VPN credentials. The cybercriminals deployed a ransomware variant known as “Fog” (a.k.a. “Lost in the Fog”) targeting sensitive data on endpoints running both Windows and Linux operating systems. However, the attack was successfully thwarted by the Adlumin platform’s innovative technology, which uses decoy files as sensors to detect ransomware activity within the network.

The Fog Ransomware

Fog is a variant of the STOP/DJVU ransomware family, first observed in 2021. It exploits vulnerabilities in compromised VPN credentials to breach network defenses and primarily targets sectors such as education and recreation. Once inside a network, Fog uses advanced techniques, including pass-the-hash attacks, to escalate privileges to an administrative level, significantly amplifying its impact. It exploits vulnerabilities in compromised VPN credentials to breach network defenses and primarily targets sectors such as education and recreation.

After infiltration, Fog executes a series of actions designed to cripple network security. These include disabling protective mechanisms, encrypting critical files—especially Virtual Machine Disks (VMDKs)—and eradicating backup data, leaving victims with little choice but to consider paying the ransom. The encrypted files are typically marked with extensions like ‘.FOG’ or ‘.FLOCKED’ and are accompanied by a ransom note directing victims to a negotiation platform on the Tor network.

The lack of direct attribution to established APT groups suggests that Fog ransomware likely originates from a new, highly skilled threat actor.

Related Product

Adlumin SecOps

Protect, detect, and respond—automatically. Stay compliant and resilient with 24/7 cloud-native security operations.

En savoir plus

Network Discovery

The attackers initiated network discovery by sending a series of pings targeting other endpoints. They stored the output of these pings in text files, ‘pings.txt’ and ‘pingw.txt’. Subsequently, they used the tool ‘Advanced_Port_Scanner_2.5.3869(1).exe’ to conduct network reconnaissance, scanning hosts within the network using elevated privileges from the compromised service accounts.

Lateral Movement

The Adlumin team traced the infiltration to an unprotected system, with the attack originating from an IP address in Russia. The attackers used two compromised service accounts to move laterally within the network, leveraging domain trust relationship information by executing the command:

nltest /domain_trusts

They then deployed a binary called ‘SharpShares.exe’ to map network drives and share folders on other machines, enabling further lateral movement.

Credential Harvesting

The next step involved using the Microsoft command-line utility ‘esentutl.exe’ to back up login data stored on endpoints for multiple users, including encrypted credentials from Google Chrome, using the following command:

cmd.exe /Q /c esentutl.exe /y “C:\Users\”USERNAME”\AppData\Local\Google\Chrome\User Data\Default\Login Data” /d “C:\Users\”USERNAME”\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp”

Execution

The threat actor used ‘Rclone’, a powerful open-source command-line tool, to sync and transfer data from compromised endpoints. They tailored the command to include files modified within the last two years while excluding certain file types.

The ransomware was propagated using a tool named ‘locker.exe’, signifying its role in encrypting or ‘locking’ the files. The following command was executed:

C:\programdata\locker.exe -id xCcNKl -nomutex -size 10 -console -target \\”HOSTS” .DOMAIN.COM\”SHAREDRIVE”

A ‘readme.txt’ file containing the ransom letter was then placed on all infected endpoints. Additionally, the attackers used WMIC and PowerShell commands to delete system shadow copies, preventing victims from restoring their files from backups.

Ransomware Prevention

As the attack progressed to the exfiltration phase, the Ransomware Prevention feature of the Adlumin platform automatically isolated the affected machines, locked out the attackers, and prevented data theft. Launched in April 2024, this service consists of scripts embedded within the Adlumin Security Platform Agent that monitor malicious activities across customers’ networks.

The agent deploys decoy files on protected endpoints that remain dormant until abnormal or malicious activity is detected. If ransomware attempts to encrypt these files, the scripts automatically execute commands to remove the affected devices from the network, containing the threat and preventing further damage. Alerts are sent to the Adlumin platform for further investigation.

The Ransomware Prevention is a first-of-its-kind patented technology, representing a significant advancement in the fight against ransomware.

Recovery

After isolating the targeted endpoints, security engineers examined the systems and found binaries for port scanners, encryption software, RMM tools, and other artifacts left by the attackers. They also identified the vulnerable endpoints that facilitated the unauthorized access.

The impacted systems were evaluated and restored to full health, eliminating the potential for another similar attack.

Recommendations

We recommend the following measures to protect against Fog ransomware attacks:

  • Use Multi-Factor Authentication (MFA): Implement MFA for all VPN connections to reduce the risk of compromised credentials.
  • Regularly Update and Patch VPN Software: Ensure all VPN applications are up to date with the latest security patches.
  • Monitor VPN Access: Implement monitoring tools to detect suspicious activities, such as unusual login attempts or access from unfamiliar locations.
  • Isolate Affected Endpoints: Implement automated isolation procedures that trigger when ransomware is detected.
  • Utilize a Comprehensive Security Platform: Protect endpoints with a platform like the Adlumin Security Operations Platform, which can monitor and respond to threats in real-time.
  • Disable Unnecessary Services: Avoid using Windows Management Instrumentation Command-line (WMIC) and PowerShell scripts unless necessary.
  • Regularly Backup Critical Data: Maintain up-to-date backups stored offline or in a secure, immutable environment.
  • Apply the Principle of Least Privilege: Limit administrative privileges to minimize the impact of a successful attack.
  • Conduct Regular Security Audits: Regularly audit network and endpoint security to identify and rectify vulnerabilities.
  • Establish Incident Response Plans: Develop and test incident response plans for detecting, containing, and recovering from ransomware attacks.
  • Monitor Network Traffic: Use advanced threat detection to monitor network traffic for signs of lateral movement or other suspicious activities.

Finally, companies should consider adding the Ransomware Prevention service to their network endpoints to prevent ransomware attacks from escalating.

Indicators of Compromise (IOCs)

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.