'Fog' Ransomware Rolls in to Target Education, Recreation Sectors

A new group of hackers is encrypting data in virtual machines, leaving ransom notes, and calling it a day.

2 Min Read
A foggy meadow and stream
Source: robertharding via Alamy Stock Photo

A new ransomware operation has been performing old-fashioned ransomware attacks, locking up data in virtual environments to earn quick payouts.

Researchers from Arctic Wolf first spotted the group they call "Fog" on May 2, according to a newly released report. Through May 23, Fog performed relatively standard-fare ransomware attacks: quickly infiltrating and encrypting data stored in virtualization environments, leaving a ransom note, but not exfiltrating anything.

Fog's TTPs

Fog attacks typically begin with stolen virtual private network (VPN) credentials, an increasingly popular means of initial access into sizable organizations. The group has exploited two different VPN gateway vendors thus far, which Arctic Wolf has declined to name.

In one case, for example, Fog passed the hash to compromise administrator accounts in its target's network. It then used the accounts to establish a remote desktop protocol (RDP) connection with Windows servers running the Hyper-V hypervisor and Veeam data protection software.

Other common Fog tactics, techniques, and procedures (TTPs) include credential stuffing, using native Windows and open source tools like Metasploit and PsExec, disabling Windows Defender, and using Tor to communicate with victims.

Contrary to recent trends, Fog does not exfiltrate the data it encrypts. It does not operate a leak site, perform double or triple extortion, or anything of the sort. "Considering the short duration between initial intrusion and encryption, the threat actors appear more interested in a quick payout as opposed to exacting a more complex attack," the researchers assessed.

Seeing Through Fog

Thus far, Fog has targeted only organizations in the US. Four of every five reported attacks have been from the education sector, with the rest spread across recreation industries.

That a relatively amateurish group would target education in particular isn't surprising, says Kerri Shafer-Page, vice president of DFIR at Arctic Wolf.

"Education is often underfunded and understaffed when it comes to cyber. And when you think about summer vacations and the staffing model, they often have very small IT departments. It's a perfect opportunity for attackers," she says.

To account for some of those shortcomings, Shafer-Page says, "Employees need to understand how they manage their credentials. These threat actors are looking for a way to move laterally and elevate their privileges. Once they elevate their privileges, it's game over. They can get into the crown jewels."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights