A new ransomware strain has been detected using compromised VPN credentials to access their victims’ endpoints.
Researchers at Arctic Wolf, who started tracking the ransomware variant in early May 2024, named it Fog, with its victims mostly educational organizations in the US, with other notable examples falling in the recreation industry.
So far, Arctic Wolf observed the attackers using compromised VPN credentials from at least two gateway vendors: “In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials,” Arctic Wolf explained. “Notably, the remote access occurred through two separate VPN gateway vendors. The last documented threat activity in our cases occurred on May 23, 2024.”
Stealing data
After compromising the network, the attackers try to gain access to valuable accounts, including those capable of establishing Remote Desktop Protocol (RDP) connections. Then, they look to disable Windows Defender and set the ground for the deployment of the encryptor.
Fog will also encrypt VMDK files in Virtual Machine (VM) storage, and will delete backups from object storage in Veeam and Windows volume shadow copies. The encrypted files carry the .FOG extension. Finally, the ransomware will drop a note, instructing the victims on how to get in touch and try to decrypt the system.
Arctic Wolf did not find evidence of the threat actors exfiltrating sensitive data before running the encryptor, but BleepingComputer says this is the case. In fact, the ransom note contains a link to a Tor dark website where the threat actors share samples of stolen data with the victims, proving that they had, in fact, grabbed sensitive files.
