A new strain of ransomware has been detected that uses compromised VPN credentials to access its victims' endpoints.
Arctic Wolf researchers, who began tracking the ransomware variant in early May 2024, named it Fog, and its victims mostly educational organizations in the US, with other notable examples in the recreation industry. .
So far, Arctic Wolf observed that attackers were using compromised VPN credentials from at least two gateway providers: “In each of the cases investigated, forensic evidence indicated that threat actors were able to access victims' environments exploiting compromised VPN credentials,” Arctic Wolf explained. “Notably, remote access occurred through two independent VPN gateway providers. The last documented threat activity in our cases occurred on May 23, 2024.”
Steal data
After compromising the network, attackers attempt to gain access to valuable accounts, including those capable of establishing Remote Desktop Protocol (RDP) connections. Next, they look to disable Windows Defender and lay the groundwork for implementing encryption.
Fog will also encrypt VMDK files on virtual machine (VM) storage and delete object storage backups on Veeam and Windows volume shadow copies. Encrypted files have the .FOG extension. Finally, the ransomware will drop a note, instructing victims on how to get in touch and attempt to decrypt the system.
Arctic Wolf found no evidence that threat actors extracted sensitive data before running the encryptor, but beepcomputer says this is the case. In fact, the ransom note contains a link to a Tor dark website where the threat actors share samples of stolen data with victims, proving that they had indeed captured sensitive files.