Arctic Wolf Sound Alarm on Emerging Ransomware Strain 'Fog'
Cybersecurity company Arctic Wolf Labs is sounding the alarm over what it has recently identified as a new ransomware variant.
Dubbed "Fog," which has been actively targeting organisations in the US, particularly within the education and recreation sectors, the discovery, made in May but announced in June, has raised concerns particularly for the sectors being targeted due to the sophisticated nature of the attacks.
The Fog ransomware variant was first detected by Arctic Wolf Labs during several incident response cases.
Fog's characteristics
The attacks were characterised by the use of compromised VPN credentials to gain access to victim environments, with remote access facilitated through two separate VPN gateway vendors
The threat actors employed various techniques, including pass-the-hash activity, credential stuffing, and the deployment of PsExec to multiple hosts. They also utilised RDP/SMB to access targeted hosts and disabled Windows Defender on Windows Servers.
The ransomware also features a JSON-based configuration block that controls pre- and post-encryption activities, including the use of an embedded public key for encryption and the addition of specific file extensions (.FOG and .FLOCKED) to encrypted files.
Notably, the threat actors did not exfiltrate data but focused on rapid encryption of VM storage data and demanded ransom payments for decryption.
The ransomware encryptor binary used by Fog exhibits common techniques seen in other ransomware variants, such as creating a log file (DbgLog.sys) in the %AppData% directory and referencing the NT API for system information.
Proliferation of Ransomware
Ransomware attacks have seen a significant increase in recent years. A 2023 report revealed that ransomware attacks have doubled over the last two years, a trend attributed to advancements in AI that enable greater automation and sophistication in attacks.
This has allowed even lower-level attackers to execute complex ransomware operations, contributing to the surge in incidents.
Strains currently circulated
There are several strains of ransomware floating around in the ecology of the cybersecurity sphere. Although all can pose a threat, there are particular significant threats in the cybersecurity landscape. Here are five of the most prominent:
- Lockbit3 - From January to June 2023, Lockbit3 was the most active ransomware group, responsible for 24% of all reported victims and over 500 attacks, a 20% increase from H1 2022. Operating as Ransomware-as-a-Service (RaaS), LockBit targets large enterprises and government entities globally, excluding Russia and other Commonwealth of Independent States. Mitigations include sandboxed browsers, NIST password standards, and email filters.
- Clop Ransomware - Clop led over 100 attacks in the first five months of 2023, targeting various industries, especially those with revenues over US$5 million. The group has extorted over US$500 million in ransom payments. Following Clop’s exploitation of a zero-day flaw in the MOVEit Transfer app, the US State Department offered rewards for information linking Clop to foreign governments.
- MalasLocker - Since its emergence in April 2023, MalasLocker has targeted over 170 victims, with 30% being Russian entities. The group primarily targets Zimbra users and demands charitable donations instead of traditional ransoms. Initially focusing on smaller organisations, MalasLocker may soon target larger entities.
- ALPHV (BlackCat) - This strain uses the Rust programming language, complicating ransomware attacks. This year, the group has breached airports, oil refineries, and other critical infrastructure. ALPHV is linked to the Darkside group and possibly the REvil cartel. Mitigations include reviewing domain controllers, servers, and antivirus logs for unrecognised activities.
- Bianlian - Since June 2022, Bianlian has targeted US and Australian infrastructure sectors. The group uses valid RDP credentials and command-line scripting for system access and data exfiltration via FTP, Rclone, or Mega. CISA recommends limiting RDP use, disabling command-line activities, and updating PowerShell to mitigate threats.
Ransomware remedies
Although these represent some of the biggest threats, it's important to remember that approximately 34% of ransomware attacks are carried out by a variety of ransomware groups.
These include entities such as BlackBasta, Hive, and Conti, as well as numerous others that frequently change their names in an attempt to "rebrand."
Therefore, it's not enough to implement specific measures against certain strains. To safeguard against ransomware threats, organisations should implement robust cybersecurity measures across all areas to insure safety.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand