The Fog ransomware, previously targeting educational and recreational sectors, has now shifted its focus to the lucrative finance industry. In a recent attack, threat actors compromised VPN credentials to infiltrate a mid-sized financial institution, deploying Fog ransomware to encrypt sensitive data.
Fog Ransomware Overview
Fog ransomware emerged in 2021 and has since expanded its capabilities. It breaches networks through vulnerabilities in compromised VPN credentials and escalates privileges using pass-the-hash attacks. Once inside, Fog disables security features, encrypts critical files (including Virtual Machine Disks), and deletes backup data, leaving victims with limited recovery options.
Recent Attack on Financial Institution
In early August 2024, threat actors used compromised VPN credentials to launch a ransomware attack against a financial institution. They employed the Fog ransomware to target Windows and Linux endpoints. However, Adlumin’s decoy files technology detected the ransomware activity, preventing the attack from escalating.
Technical Details of the Attack
The attackers gained initial access through an unprotected device and utilized Advanced_Port_Scanner_2.5.3869(1).exe to scan the network for vulnerable hosts. They leveraged domain trust relationships to move laterally within the network and used esentutl.exe to exfiltrate login credentials from infected endpoints. Rclone was used to transfer stolen data. The ransomware was deployed as locker.exe, and a readme.txt file was dropped on compromised endpoints containing the ransom demand.
Arctic Wolf Analysis
Arctic Wolf’s analysis suggests that the threat actors were primarily motivated by a quick financial payout rather than a more sophisticated attack involving data exfiltration.
Recommendations for Mitigation
To mitigate Fog ransomware attacks, organizations are advised to implement the following measures:
- Enforce multi-factor authentication (MFA)
- Regularly update VPN software and monitor VPN access
- Isolate compromised endpoints
- Utilize a comprehensive security platform
- Back up critical data
- Implement the principle of least privilege
- Develop incident response plans
Conclusion
The Fog ransomware has widened its attack scope to the financial sector, posing a significant threat to sensitive data. Organizations must adopt proactive security measures to protect against this evolving ransomware variant and prevent potential financial losses.