'Fog' Ransomware Rolls in to Target Education, Recreation Sectors

A new ransomware operation has been performing old-fashioned ransomware attacks, locking up data in virtual environments to earn quick payouts.

Researchers from Arctic Wolf first spotted the group they call "Fog" on May 2, according to a newly released report. Through May 23, Fog performed relatively standard-fare ransomware attacks: quickly infiltrating and encrypting data stored in virtualization environments, leaving a ransom note, but not exfiltrating anything.

Fog's TTPs

Fog attacks typically begin with stolen virtual private network (VPN) credentials, an increasingly popular means of initial access into sizable organizations. The group has exploited two different VPN gateway vendors thus far, which Arctic Wolf has declined to name.

In one case, for example, Fog passed the hash to compromise administrator accounts in its target's network. It then used the accounts to establish a remote desktop protocol (RDP) connection with Windows servers running the Hyper-V hypervisor and Veeam data protection software.

Other common Fog tactics, techniques, and procedures (TTPs) include credential stuffing, using native Windows and open source tools like Metasploit and PsExec, disabling Windows Defender, and using Tor to communicate with victims.

Contrary to recent trends, Fog does not exfiltrate the data it encrypts. It does not operate a leak site, perform double or triple extortion, or anything of the sort. "Considering the short duration between initial intrusion and encryption, the threat actors appear more interested in a quick payout as opposed to exacting a more complex attack," the researchers assessed.

Seeing Through Fog

Thus far, Fog has targeted only organizations in the US. Four of every five reported attacks have been from the education sector, with the rest spread across recreation industries.

That a relatively amateurish group would target education in particular isn't surprising, says Kerri Shafer-Page, vice president of DFIR at Arctic Wolf.

"Education is often underfunded and understaffed when it comes to cyber. And when you think about summer vacations and the staffing model, they often have very small IT departments. It's a perfect opportunity for attackers," she says.

To account for some of those shortcomings, Shafer-Page says, "Employees need to understand how they manage their credentials. These threat actors are looking for a way to move laterally and elevate their privileges. Once they elevate their privileges, it's game over. They can get into the crown jewels."