In the increasingly complex landscape of cyber threats, a new type of ransomware known as Fog() Ransomware emerged this year, beginning its spread in the spring. This malicious software has garnered particular attention due to its sophistication and advanced attack methods. Initially discovered in the United States, it primarily impacted the education sector, but travel, finance, and manufacturing industries were also targeted. The unidentified operators of Fog Ransomware appear to be motivated by financial gain, employing a double extortion technique, thereby increasing the pressure on victims to pay the ransom.

Vulnerability access and exploitation techniques

The first entry point exploited by the Fog ransomware is typically compromised credentials. Recently, the cybercriminals behind it demonstrated the exploitation of a known vulnerability in the Device Management Interface, identified as --. This security flaw present in outdated devices allows attackers to gain privileged access to the network, initiating the attack chain. In many cases, attackers also exploit the -- vulnerabilities in &, leveraging flaws that may permit remote code execution, thereby amplifying the potential to compromise enterprise networks.

Researchers claim that at least intrusions related to accounts were carried out with the help of and ransomware, suggesting possible collaboration or infrastructure overlap between the two groups. Experts also uncovered clues related to the infrastructure used by and operators, highlighting the increasing specialization and interconnectedness among various cybercriminal actors.

Attack strategies and methods used

Once access is obtained, files are quickly encrypted. The attacker performs a pass-the-hash attack to gain elevated privileges and disable security software. Deleting shadow copies and disabling services using . commands are among the first actions taken by the operator. The system is also targeted by this ransomware: files with the extension "." contain critical virtual machine data, which, when encrypted, disrupts services and severely interrupts business operations.

To map the environment and gather useful information, operators use identification tools such as , , and , which enable them to collect data about the systems and services present in the network. To ensure persistence on the network, malware creates new user accounts and employs reverse . Additionally, using and allows attackers to perform enumeration tasks and maintain access within the compromised environment.

Data extraction and encryption phases

In the final stage of the attack, data exfiltration is executed, uploading the stolen files to a storage service, which is typically used for storing leaked information. Files on the encrypted system have a "." or "." extension, and a ransom note is placed in each directory affected by the encryption. The note warns the victims of the attack, detailing the attacker's demands and threatening to disclose sensitive data if the ransom is not paid. Double extortion is a common tactic in modern ransomware, representing a psychological pressure technique: if the victim refuses to pay, not only will they be unable to recover the encrypted data, but they also face the risk of confidential information being publicly disseminated, jeopardizing security and corporate reputation.

Recommendations on defensive and preventive measures

To protect themselves from the Fog ransomware, organizations should implement preventive measures and continuously monitor. The main recommendations include:

• Update the system: Ensure that the system, backup devices, and critical software are updated with the latest security patches to reduce the risk of exploitable vulnerabilities.
• Network Activity Monitoring: Regularly check logs for suspicious activities, such as abnormal data transfers or unauthorized access attempts.
• Network Segmentation: Implement proper network segmentation to limit the lateral movement of potential attackers.
• Secure Backup: Store backup copies in isolated locations and protect them with multi-factor authentication to prevent leakage.

The emergence of ransomware once again highlights the necessity for organizations to maintain high vigilance and strengthen their defenses. With the increasing collaboration among different cybercriminal actors and the adoption of advanced ransom methods, it is crucial to stay informed about new threats and implement robust and up-to-date security protocols.