Overview
Fog Ransomware, first observed in early May 2024, is a rapidly evolving ransomware variant primarily targeting US-based educational institutions and businesses. Unlike traditional ransomware groups which often operate with a defined structure and public persona, Fog is classified as a variant, meaning the developers of the malware are distinct from the affiliates who deploy it in attacks. This makes attribution challenging, but analysis suggests a possible connection to Russian-speaking cybercriminals due to geographic targeting patterns. Fog employs a double extortion model, combining data encryption with data exfiltration and publication on a Tor-based data leak site (DLS) to pressure victims into paying ransoms. The speed of its attacks is notable, with encryption sometimes occurring within just two hours of initial access.
Known Aliases
No known aliases beyond “Fog Ransomware” have been publicly identified.
Country of Origin
The country of origin is unknown. However, the disproportionate targeting of US organizations, coupled with the absence of attacks on Russia, CIS countries, and China, suggests a possible connection to Russian-speaking cybercriminals.
Fog Ransomware’s Most Recent Attacks
- Kombinat Media Gestalter: The ransomware attack led to the theft of 1GB of source code, which was later leaked online.
- Haute Ecole Paul-Henri Spaak: Approximately 62GB of data, including sensitive student and staff information, was stolen.
- Propulsion Academy: The breach involved an undisclosed amount of data, but it significantly disrupted their operations.
- XpanS: The attack targeted critical virtual machine disk files, encrypting them and appending “.fog” extensions.
- Professional Computer Co., Ltd: Sensitive internal files were exfiltrated, with some data reportedly leaked on the dark web.
- Karadeniz Holding: A massive 1.5TB of data was stolen, impacting their energy sector operations.
- PraSaga: The ransomware compromised blockchain project data, including sensitive development files.
- Boutin Jones: The law firm suffered a breach where confidential client data was exposed.
MITRE ATT&CK Tactics and Techniques Used by Fog Ransomware
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing | T1566 | Uses phishing emails to trick users into downloading malicious payloads. |
| Initial Access | Exploitation for Privilege Escalation | T1068 | Exploits vulnerabilities or misconfigurations to gain higher privileges. |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploits vulnerabilities in internet-facing applications to gain access. |
| Initial Access | Valid Accounts | T1078 | Uses compromised legitimate accounts (e.g., VPN credentials) for access. |
| Execution | Command and Scripting Interpreter | T1059 | Uses PowerShell or Bash scripts to execute malicious commands. |
| Persistence | Scheduled Task/Job | T1053 | Creates scheduled tasks to maintain access after a reboot. |
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548 | Exploits vulnerabilities or misconfigurations to gain admin privileges. |
| Defense Evasion | Obfuscated Files or Information | T1027 | Uses packing, encryption, or other methods to evade detection. |
| Credential Access | Credential Dumping | T1003 | Uses tools like Mimikatz to steal credentials from memory. |
| Discovery | System Information Discovery | T1082 | Gathers information about the infected system. |
| Discovery | File and Directory Discovery | T1083 | Gathers information about files and directories on the system. |
| Discovery | Network Share Discovery | T1135 | Discovers network shares to identify potential targets. |
| Lateral Movement | Remote Services (RDP, SMB) | T1021 | Uses compromised credentials to move laterally within the network. |
| Collection | Data from Local System | T1005 | Gathers sensitive files before exfiltration. |
| Exfiltration | Exfiltration Over Web Service | T1567 | Sends stolen data to attacker-controlled servers. |
| Impact | Data Encrypted for Impact | T1486 | Encrypts victim files and demands ransom for decryption. |
Methods of Attack/Infiltration Used by Fog Ransomware
Fog Ransomware uses a multi-stage attack process. Initial access is gained through various methods, including:
- Exploiting vulnerabilities in public-facing applications: This allows initial access to the network.
- Weak RDP configurations: Compromised or poorly secured Remote Desktop Protocol connections provide an entry point.
- Phishing emails: Social engineering tactics are used to trick users into downloading malicious payloads.
- Stolen credentials: Compromised user credentials, including VPN access, are leveraged to bypass authentication.
- Double Extortion: Combines file encryption with data exfiltration (potentially using MEGA) and publication on a Tor-based DLS.
- Ransom Note Delivery:
readme.txtprovides instructions, ransom demands (cryptocurrency), and data leak threats. Victims directed to a DLS.
Malware/Ransomware Strain(s) Used by Fog Ransomware
- Primary malware: Fog ransomware variant. Exact strain and version number remain unconfirmed.
- File Extension Appending:
.fog,.Fog, or.FLOCKEDadded to encrypted files. - Encryption Algorithm: Robust, but specific algorithm undisclosed. Decryption without the key is extremely difficult.
- Legitimate Tool Abuse: AnyDesk and SplashTop potentially used for C2 communication.
- Potential Additional Tools: Mimikatz, PowerShell, PsExec, Rclone, Cobalt Strike, and GMER may be employed.
