As of August 2024, CYFOR has identified the first instance of ‘Fog’ ransomware threat actors migrating into the UK. Previously, these attackers primarily targeted the education and recreation sectors in the United States. Their expansion overseas underscores the growing global threat they pose and highlights the critical importance of implementing robust cybersecurity measures to counteract it.
But who are Fog Ransomware?
First reported in May 2024, the Fog group initially used compromised VPN credentials to infiltrate networks within the educational sector over in the United States. The Artic Wolf Labs team first identified the breach, noting that at that time, the group had not yet established an extortion portal and had not stolen any data. As of August 2024, Fog has launched a dark web site to name victims, but has not yet been reported to engage in “double extortion” attacks—a tactic where stolen data is used as leverage to coerce victims into paying a set ransom, in addition to data encryption.
Learn more hereCyber Corner
- What is a VPN? According to Nord VPN a “VPN is a service that protects your internet connection and privacy online. VPNs create an encrypted tunnel for your data, protect your online identity by hiding your IP address, and allow you to use public Wi-Fi hotspots safely.”
- Double Extortion – is a tactic used in ransomware attacks where attackers not only encrypt their victim’s data but also steal it and threaten to release it publicly unless a ransom is paid. This approach adds an additional layer of pressure on the victim, as they face the risk of having sensitive or confidential information exposed, in addition to dealing with the disruption caused by the encrypted files.
How do they attack?
The attackers exploit compromised VPN credentials from at least two gateway vendors to gain access to the victim’s environments. Once this has been completed, Fog deploys their encryption, going on to send the victim a note demanding a ransom to be paid.
The initial reported attack took place on May 23, 2024 by Arctic Wolf.
Fog's Next Step
- Once the network is compromised, the group attempts to access valuable privileged accounts, including those that can establish Remote Desktop Protocol (RDP) connections. Following the initial breach, the group, known as ‘Fog,’ disables Windows Defender (and other security systems) and prepares the system for deploying the encryptor. In some cases, the group proceeds to encrypt VMDK (Virtual Machine Disk) files in Virtual Machine (VM) storage, preventing the organisation from accessing files, systems and services within virtual machines. Additionally, FOG target on-premise backup systems to hinder recovery efforts, increasing their leverage when a ransom demand is made.
- The final step involves the deployment of the ransomware, this displays a note to the victim with instructions on how to contact Fog to attempt recovery and decryption of the encrypted system.
The Developments - August 21st 2024
Fog has recently launched a dark web site that now lists all its victims. This site is designed to increase the victims’ anxiety by threatening to publicly release all exfiltrated data here if the ransom is not paid.
The site appears as shown to the left.
Speak with an ExpertThe Technical Breakdown with William Poole
As attacks by Fog spread to the UK, our expert team has put together a comprehensive guide to help you identify the attacker, remediate their actions, and prevent future incidents.
Our Head of Incident Response, Will Poole, has crafted the following guide for your reference:
As FOG continue with consistent tactics, techniques and procedures throughout attacks – initially targeting VPN accounts before moving laterally to sensitive systems, escalating privileges and deploying their ransomware via common methods, organisations can take basic cyber-hygiene steps to protect themselves from the group.
Ensuring that all external access to your systems, especially via VPNs, are protected by multi-factor authentication, implementing robust password policies to eradicate weak passwords and removing legacy/unused accounts will all help ensure FOG never gain an initial foothold within your network. Disabling RDP where it is not needed, monitoring administrator accounts usage across your network, and deploying appropriate endpoint detection and response (EDR) tools on your endpoints can further your ability to prevent lateral movement, and detect incidents before ransomware is deployed, in the event an initial compromise is successful.
FOG, like many other ransomware groups, leave a readme.txt file on compromise systems – containing a link to their dark web data leak site and instructions for making contact. If you find such a note on your systems, follow your internal incident response plan. CYFOR are here to help with any recovery and investigation needs if your organisation is targeted by FOG, or other prominent ransomware groups.
The CYFOR Secure team is committed to keeping you informed about all developments in this case. We’re here to assist you if you need help or if you have been affected by their activities.