First emerging in April 2004, Fog is a ransomware that conducts a multi-pronged extortion operation, leveraging a TOR-based DLS to list victims and host data for those that refuse to comply with their ransom demands.
A variant of the STOP/DJVU ransomware family that first arose three years prior, Fog tends to use compromised VPN credentials to breach network defenses. Once inside a victim environment, it uses techniques such as pass-the-hash attacks to elevate its privileges to admin level.
The group creating these Fog attacks also performs a series of actions intended to take out cyber defenses, including turning off protections, encrypting critical files, such as virtual machine disks (VMDKs) early on, and deleting backups to prevent recovery. It typically appends encrypted files with extensions .FOG or .FLOCKED, and uses the encrypted protocol Tor to negotiate with victims.
Since it first arose, the Fog ransomware group has been ramping up their attacks. According to an intelligence report published by incident responders at Adlumin, the group has been targeting new, more lucrative verticals well becoming to be one of the more high-profile cybercrime organizations.
In its report, Adlumin noted one attempted attack by the Fog ransomware group in August 2024 on a mid-sized US financial services company by targeting its data on endpoints running both Windows and Linux. Adlumin was able to thwart this attack by incorporating “decoy” files that are used to detect ransomware activity in a network prior to execution. This enabled the team to isolate the affected machines and lock out the attackers in minutes.
In the course of its investigation, Adlumin was able to trace the infiltration to an unprotected system with IP addresses originating in Moscow, although this may not necessarily prove its provenance.
It must be noted that before this attack, Fog ransomware has mainly targeted organizations in the education and recreation sectors. Thus, this particular attack has understandably raised concerns that the attackers are now seeking high-profile targets.
Adlumin also noted that there was currently a lack of direct attribution to other established threat actors, suggesting that Fog likely originates from a new and highly skilled group.
Meanwhile, other researchers monitoring Fog, including the team at Arctic Wolf, observed that there is only a short duration between initial intrusion and encryption, which diverges from common practice in most ransomware scenarios. In an analysis published in June 2024, the Arctic Wolf team stated, “The threat actors appear more interested in a quick pay-out as opposed to exacting a more complex attack involving data exfiltration and a high-profile leak site.” although it should be noted that the gang does operate a leak site.
This observation appears to support Adlumin’s theory that the Fog ransomware group is now hunting more cash-rich targets. As such, enterprise security teams should take heed to the growing threat posed by Fog and focus on maintaining secure, off-site backup infrastructure in addition to standard defense-in-depth policies.
Comments