Threat Research

Lost in the Fog: A New Ransomware Threat – Arctic Wolf

Securonix

Arctic Wolf Labs tracked Fog, a new ransomware variant active in the U.S. education and recreation sectors starting in May 2024, with rapid encryption and limited exfiltration observed. The operations exploited compromised VPN credentials, carried out lateral movement via RDP/SMB and PsExec, disabled defenses, encrypted VM storage, and left ransom notes while deleting backups. Hashtags: #FogRansomware #ArcticWolfLabs #EducationSector #RecreationSector #PsExec #RDP #Veeam

Keypoints

  • Fog ransomware emerged in May 2024 and was observed across several Arctic Wolf Incident Response cases, predominantly affecting U.S. organizations in education (80%) and recreation sectors (20%).
  • Arctic Wolf distinguishes Fog as a ransomware variant rather than a single group; the exact organizational structure behind Fog remains unknown.
  • Initial access was achieved via compromised VPN credentials across two VPN gateway vendors, highlighting external remote services as an entry vector.
  • Credential theft and reuse facilitated movement: pass-the-hash, credential stuffing, and lateral movement using RDP/SMB, with PsExec deployed for cross-host execution.
  • Windows Defender was disabled on affected servers; attackers encrypted VM storage (VMDK) and deleted backups from Veeam, leaving ransom notes with a consistent format.
  • The ransomware payload includes configurable options (RSAPubKey, LockedExt, NotefileName) and creates DbgLog.sys for logging; volume shadow copies are deleted to hinder recovery.

MITRE Techniques

  • [T1133] External Remote Services – Access to victim environments via VPN credentials. ‘threat actors were able to access victim environments by leveraging compromised VPN credentials.’
  • [T1078] Valid Accounts – Use of compromised VPN credentials for access. ‘Compromised VPN Credentials.’
  • [T1046] Network Service Discovery – Discovery using network scanners (SoftPerfect Network Scanner, Advanced Port Scanner). ‘SoftPerfect Network Scanner • Advanced Port Scanner’
  • [T1135] Network Share Discovery – Discovery of network shares (SharpShares). ‘SharpShares’
  • [T1021] Remote Services – Lateral movement via remote services. ‘Remote Services’
  • [T1021.001] Remote Desktop Protocol – RDP-based access to systems. ‘Remote Desktop Protocol’
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement through SMB/Windows Admin Shares. ‘
  • [T1570] Lateral Tool Transfer – PsExec used to move laterally. ‘PsExec’
  • [T1003] OS Credential Dumping – Extraction of credentials from system stores (NTDS). ‘NTDS’
  • [T1555] Credentials from Password Stores – Access passwords via Veeam credential manager (PowerShell script). ‘PowerShell script (Veeam-Get-Creds.ps1) to obtain passwords from the Veeam Backup and Replication Credentials Manager’
  • [T1110] Brute Force – Credential stuffing as a means of gaining access. ‘Credential Stuffing’
  • [T1136] Create Account – Persistence via local administrator account. ‘Local Account (Administrator)’
  • [T1059] Command and Scripting Interpreter – Execution via shell commands. ‘Windows Command Shell’
  • [T1569] System Services – Service execution for process control. ‘Service Execution (PsExec)’
  • [T1562] Impair Defenses – Disable or modify Windows Defender/AV. ‘Disable or Modify Tools (Windows Defender/AV)’
  • [T1550] Use Alternate Authentication Material – Pass the Hash usage. ‘Pass the Hash’
  • [T1140] Deobfuscate/Decode Files or Information – Deobfuscation/decoding steps observed as an operation; ‘Deobfuscate/Decode Files or Information’
  • [T1070] Indicator Removal – Delete artifacts to hinder forensics. ‘File Deletion’
  • [T1486] Data Encrypted for Impact – Encrypting files and rendering data unusable. ‘Data Encrypted for Impact’
  • [T1490] Inhibit System Recovery – Deleting shadow copies to prevent recovery. ‘vssadmin.exe used to delete volume shadow copies on the system’

Indicators of Compromise

  • [SHA1] context – Fog ransomware binaries identified in multiple cases: f7c8c60172f9ae4dab9f61c28ccae7084da90a06, 507b26054319ff31f275ba44ddc9d2b5037bd295, and other hashes
  • [Filename] context – Ransom note and related artifacts: readme.txt, DbgLog.sys, and PsExec (psexesvc.exe)
  • [File Extension] context – Encrypted files with .FOG and .FLOCKED extensions
  • [IP Address] context – 5.230.33[.]176, 77.247.126[.]200, and 107.161.50[.]26 (used to login to VPN appliances)
  • [Hostname] context – Threat actor’s hostname: DESKTOP-7G1IC87, Kali, VPS65CCB8B75352, PACKERP-VUDV41R
  • [Filename] context – Additional IoCs: Advanced Port Scanner executable (advanced_port_scanner.exe), SharpShares (sharpshares(1).exe), and Netscan (netscan.exe)

Read more: https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint