How did the young group's approach surprise security researchers?
Researchers at Arctic Wolf discovered a new group of ransomware called Fog, which uses old-fashioned methods to make a quick profit by blocking data in virtual environments.
The "Fog" group was first spotted on May 2 of this year, and by May 23, it had already carried out many successful attacks: it quickly penetrated systems, encrypted data in virtual environments, and left notes with ransom demands.
Fog attacks usually start with the use of stolen virtual private network (VPN) credentials. This method has recently become increasingly popular for accessing large organizations.
The group has already exploited vulnerabilities of two different VPN gateway providers, the names of which Arctic Wolf does not disclose. In one case, Fog used the "pass the hash" method to compromise administrator accounts on the target's network. The team then established a Remote Desktop Protocol (RDP) connection to Windows servers running the Hyper-V hypervisor and Veeam data protection software.
Other typical "Fog" methods include brute-forcing credentials, using standard Windows tools and open sources such as Metasploit and PsExec, disabling Windows Defender, and using Tor to communicate with victims.
Unlike other ransomware groups, Fog does not exfiltrate data, has no leak sites, and does not engage in double or triple extortion. Researchers believe that attackers are interested in quickly obtaining ransom, and not in conducting more complex attacks.
So far, Fog has focused exclusively on organizations in the United States. Moreover, 80% of all attacks fell on educational institutions, and the remaining 20% on the entertainment industry.
Kerry Schafer-Page, vice president of incident response at Arctic Wolf, believes that the choice of the education sector is not accidental. "Education is often underfunded and insufficiently equipped in terms of cybersecurity. During the summer holidays and with small IT departments, this is an ideal opportunity for attackers," explains Schafer — Page.
To compensate for these shortcomings, Schafer-Page emphasizes the importance of proper credential management. "Employees need to understand how to manage their credentials. Attackers are looking for a way to move around the network and increase their privileges. Once they achieve this, they will be able to gain access to the most valuable data, " the expert concludes.
Researchers at Arctic Wolf discovered a new group of ransomware called Fog, which uses old-fashioned methods to make a quick profit by blocking data in virtual environments.
The "Fog" group was first spotted on May 2 of this year, and by May 23, it had already carried out many successful attacks: it quickly penetrated systems, encrypted data in virtual environments, and left notes with ransom demands.
Fog attacks usually start with the use of stolen virtual private network (VPN) credentials. This method has recently become increasingly popular for accessing large organizations.
The group has already exploited vulnerabilities of two different VPN gateway providers, the names of which Arctic Wolf does not disclose. In one case, Fog used the "pass the hash" method to compromise administrator accounts on the target's network. The team then established a Remote Desktop Protocol (RDP) connection to Windows servers running the Hyper-V hypervisor and Veeam data protection software.
Other typical "Fog" methods include brute-forcing credentials, using standard Windows tools and open sources such as Metasploit and PsExec, disabling Windows Defender, and using Tor to communicate with victims.
Unlike other ransomware groups, Fog does not exfiltrate data, has no leak sites, and does not engage in double or triple extortion. Researchers believe that attackers are interested in quickly obtaining ransom, and not in conducting more complex attacks.
So far, Fog has focused exclusively on organizations in the United States. Moreover, 80% of all attacks fell on educational institutions, and the remaining 20% on the entertainment industry.
Kerry Schafer-Page, vice president of incident response at Arctic Wolf, believes that the choice of the education sector is not accidental. "Education is often underfunded and insufficiently equipped in terms of cybersecurity. During the summer holidays and with small IT departments, this is an ideal opportunity for attackers," explains Schafer — Page.
To compensate for these shortcomings, Schafer-Page emphasizes the importance of proper credential management. "Employees need to understand how to manage their credentials. Attackers are looking for a way to move around the network and increase their privileges. Once they achieve this, they will be able to gain access to the most valuable data, " the expert concludes.
