MOXFIVE recently observed a new ransomware variant known as Fog Ransomware. Given our experience and recent public reports with this new threat, here is what we know so far.
Key Highlights:
- The group(s) distributing Fog Ransomware remain unknown.
- The Education and Public sectors are the primary targets for the threat actor(s) deploying this ransomware variant.
- Recent cases put the initial access as compromised virtual private network (VPN) credentials.
- The Fog Ransomware incidents have been encryption-only. In some cases, impacted servers have suffered virtual disk level encryption. Files encrypted will be tacked with the .FOG or .FLOCKED file extension, but the threat actor(s) can change this extension.
- Threat actor communication follows the traditional use of a .onion domain for anonymous communication.
MOXFIVE Mitigation Recommendations:
- Organizations should ensure Multifactor Authentication (MFA) is fully implemented and enforced for VPN. MFA thwarts many of the methods threat actors use to harvest VPN credentials such as social engineering attacks, non-unique credentials from password lists, password stuffing, and brute force attacks.
- We also encourage businesses to set up alerts or outright block the tools used by Fog Ransomware (PsExec, Metasploit, Advanced Port Scanner) and to establish stronger monitoring around PowerShell scripts used against Veeam.
Fortunately, most clients impacted with this ransomware variant that we have worked with had immutable cloud-based backups that enabled us to expedite the recovery process. The threat actor(s) were unable to delete these backups, which enabled restoration of systems without a ransom payment. In addition, restoring from backups can lead to a significantly faster recovery time.
If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.
