Tue, Aug 20, 2024
In Q2 2024, the Kroll Cyber Threat Intelligence (CTI) Team observed an increase in activity around a new ransomware group named FOG. FOG was initially observed in May 2024, and since then has been heavily targeting higher educational institutions in the U.S. by exploiting compromised VPN credentials. Kroll's review of a recent FOG binary (1.exe) found no exfiltration or persistence mechanisms directly integrated. FOG is known to utilize third-party tools and cloud services for exfiltration during attacks, which have often led to double extortion to put more pressure on victims to pay the ransom . Double extortion is a tactic leveraged by threat actors where they both encrypt and exfiltrate data, increasing the likelihood that a victim will pay their ransom. At the time of writing, FOG operates a Data Leak Site where they threaten to post and eventually publish victims’ leaked data if a ransom is not paid.
Below are some key tactics, techniques and procedures (TTPs) the Kroll CTI Team has observed during investigations involving FOG ransomware:
FOG ransomware has been observed leveraging compromised VPN credentials or valid user credentials for initial access.
After breaching a network, FOG operators are observed abusing "pass-the-hash" attacks on administrator accounts. Further, brute forcing of user accounts, custom PowerShell scripts and extracting passwords from user browsers and NT Directory Service (NTDS.dit) are also utilized to escalate privileges.
To maintain persistence, the group establishes Remote Desktop Protocol (RDP) connections on Windows servers. FOG may also employ credential stuffing to hijack additional user accounts and even create new user accounts solely for persistence. They’ve also leveraged FileZilla and reverse SSH Shells to ensure a foothold on the system.
The group is known to deploy Metasploit and PsExec across multiple hosts. Kroll has also observed the use of Advanced Port Scanner, LOLBins, SharpShares and SoftPerfect Network Scanner to gather data.
On compromised Windows servers, the attackers disabled Windows Defender and multiple processes and services to avoid detection before deploying the ransomware.
FOG then leveraged Windows API calls to gather system information and terminate further specific processes and services. The ransomware encrypts a wide variety of files, including Virtual Machine Disks (VMDKs), and deletes backups from Veeam and Windows Volume Shadow copies before appending the .FOG or .FLOCKED extension to encrypted files.
Once the ransomware has been executed and files have been encrypted, a ransom note, typically named “readme.txt”, is left in affected directories to provide instructions on how to pay for decryption. The note includes a link to a Tor site for negotiations, which features a chat interface for discussing the ransom and providing proof of stolen files. Ransom demands vary and may reach multiple hundreds of thousands of dollars for larger organizations.
When exfiltrating data, the group has been known to leverage 7-Zip, third-party cloud services and WinRAR.
Our Malware Analysis and Reverse Engineering Team recently reviewed a Fog binary (1.exe). In this particular sample, no exfiltration or persistence mechanisms were observed integrated into the binary. The ransomware can be executed with a number of flags, such as:
Within the configuration file, several other values can be specified:
When executed, the malware goes through a few steps:
During execution, the encryption is handled via symmetric encryption. A symmetric key is generated at runtime, and this encryption key is subsequently encrypted using an asymmetric key. As a result of this process, the threat actor’s private key is necessary to recover the symmetric key for decryption. Function calls to accomplish this are largely handled by resolving functions via the Process Environment Block (PEB), allowing for functionality to be somewhat hidden as the pointers for each function can be resolved without directly referencing the API function.
Ransom notes named "readme.txt" are dropped within each directory containing encrypted files.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s Malware Analysis and Reverse Engineering team draws from decades of private and public-sector experience, across all industries, to deliver actionable findings through in-depth technical analysis of benign and malicious code.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
Proactively safeguard your organization’s digital assets and accelerate visibility of online threats.