Arctic Wolf Sound Alarm on Emerging Ransomware Strain 'Fog'

The attacks were characterised by the use of compromised VPN credentials to gain access to victim environments
Cybersecurity company Arctic Wolf Labs is sounding the alarm after it discovered a new ransomware variant that is targeting specific industries

Cybersecurity company Arctic Wolf Labs is sounding the alarm over what it has recently identified as a new ransomware variant.

Dubbed "Fog," which has been actively targeting organisations in the US, particularly within the education and recreation sectors, the discovery, made in May but announced in June, has raised concerns particularly for the sectors being targeted due to the sophisticated nature of the attacks.

The Fog ransomware variant was first detected by Arctic Wolf Labs during several incident response cases. 

Fog's characteristics

The attacks were characterised by the use of compromised VPN credentials to gain access to victim environments, with remote access facilitated through two separate VPN gateway vendors

The threat actors employed various techniques, including pass-the-hash activity, credential stuffing, and the deployment of PsExec to multiple hosts. They also utilised RDP/SMB to access targeted hosts and disabled Windows Defender on Windows Servers.

The ransomware also features a JSON-based configuration block that controls pre- and post-encryption activities, including the use of an embedded public key for encryption and the addition of specific file extensions (.FOG and .FLOCKED) to encrypted files. 

Notably, the threat actors did not exfiltrate data but focused on rapid encryption of VM storage data and demanded ransom payments for decryption.

The ransomware encryptor binary used by Fog exhibits common techniques seen in other ransomware variants, such as creating a log file (DbgLog.sys) in the %AppData% directory and referencing the NT API for system information. 

Youtube Placeholder

Proliferation of Ransomware

Ransomware attacks have seen a significant increase in recent years. A 2023 report revealed that ransomware attacks have doubled over the last two years, a trend attributed to advancements in AI that enable greater automation and sophistication in attacks. 

This has allowed even lower-level attackers to execute complex ransomware operations, contributing to the surge in incidents.

Strains currently circulated 

There are several strains of ransomware floating around in the ecology of the cybersecurity sphere. Although all can pose a threat, there are particular  significant threats in the cybersecurity landscape. Here are five of the most prominent:

Strains to be aware of
  • Lockbit3 - From January to June 2023, Lockbit3 was the most active ransomware group, responsible for 24% of all reported victims and over 500 attacks, a 20% increase from H1 2022. Operating as Ransomware-as-a-Service (RaaS), LockBit targets large enterprises and government entities globally, excluding Russia and other Commonwealth of Independent States. Mitigations include sandboxed browsers, NIST password standards, and email filters.
  • Clop Ransomware - Clop led over 100 attacks in the first five months of 2023, targeting various industries, especially those with revenues over US$5 million. The group has extorted over US$500 million in ransom payments. Following Clop’s exploitation of a zero-day flaw in the MOVEit Transfer app, the US State Department offered rewards for information linking Clop to foreign governments.
  • MalasLocker - Since its emergence in April 2023, MalasLocker has targeted over 170 victims, with 30% being Russian entities. The group primarily targets Zimbra users and demands charitable donations instead of traditional ransoms. Initially focusing on smaller organisations, MalasLocker may soon target larger entities.
  • ALPHV (BlackCat) - This strain uses the Rust programming language, complicating ransomware attacks. This year, the group has breached airports, oil refineries, and other critical infrastructure. ALPHV is linked to the Darkside group and possibly the REvil cartel. Mitigations include reviewing domain controllers, servers, and antivirus logs for unrecognised activities.
  • Bianlian - Since June 2022, Bianlian has targeted US and Australian infrastructure sectors. The group uses valid RDP credentials and command-line scripting for system access and data exfiltration via FTP, Rclone, or Mega. CISA recommends limiting RDP use, disabling command-line activities, and updating PowerShell to mitigate threats.

Ransomware remedies

Although these represent some of the biggest threats, it's important to remember that approximately 34% of ransomware attacks are carried out by a variety of ransomware groups. 

These include entities such as BlackBasta, Hive, and Conti, as well as numerous others that frequently change their names in an attempt to "rebrand."

Therefore, it's not enough to implement specific measures against certain strains. To safeguard against ransomware threats, organisations should implement robust cybersecurity measures across all areas to insure safety. 


Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024


Cyber Magazine is a BizClik brand


Featured Articles

UK Takes Steps to Strengthen Country's Cyber Security

The new government have made cybersecurity one of their top priorities as they lay out their plans for what they intend to do in power

BlueVoyant Launch Platform to Tackle Supplier Attack Surface

BlueVoyant has unveiled a new Cyber Defense Platform which aims to tackle the growing attack surface introduced by the ecosphere of third-party vendors

Irdeto’s Andrew Bunten Talks Securing Online Content Streams

With online streaming services being bigger than ever, Irdeto’s Andrew Bunten explains how they manage to keep streams safe despite the huge attack surface

Fortinet Cyber Survey Shows Global Scope of Skills Gap

Operational Security

What ChatGPT Passing an Ethical Hacking Exam Means for Cyber

Technology & AI

Learn How CTEM can Upskill Your Cyber Strategy

Network Security