A new ransomware variant known as Fog has emerged as a notable threat to organizations in the education and recreation sectors across the United States.
Overview of the Threat
Starting in early May 2024, Arctic Wolf Labs began monitoring Fog ransomware in multiple incident response cases. Approximately 80 percent of affected organizations operate in education, while 20 percent belong to the recreation sector. All victims were located in the United States, indicating a geographically focused campaign.
Unlike traditional ransomware groups, Fog represents a software variant rather than a distinct hacking group. This distinction highlights that while the malware is standardized, multiple independent affiliate teams may conduct attacks, complicating attribution and response.
Evidence suggests that threat actors behind Fog coordinate their efforts, though the organizational structure remains unclear. The most recent documented activity in the investigated cases occurred on May 23, 2024, providing a timeline for defensive measures.
Initial Access via Compromised VPNs
Arctic Wolf analysts determined that attackers gained initial access by exploiting compromised VPN credentials across two different VPN gateway vendors. This method served as the primary entry point, underscoring vulnerabilities in remote access security.
Attack Methodology and Infection Mechanisms
Once inside networks, attackers employed a multi-stage process combining penetration testing tactics with ransomware deployment:
- Pass-the-hash attacks targeted administrator accounts, enabling RDP connections to Windows Servers running Hyper-V and Veeam backup systems.
- Credential stuffing facilitated lateral movement throughout victim networks.
- PsExec was used to execute commands across multiple hosts, while RDP and SMB protocols provided system access.
- Windows Defender was disabled on affected servers prior to encryption, removing a critical defense layer.
The ransomware payload exhibits common behaviors seen in other variants. Each sample creates a file named DbgLog.sys in the %AppData% directory to log activity. Initialization routines reference NTDLL.DLL and NtQuerySystemInformation to gather system data for thread allocation.
Command-line options include:
- NOMUTEX – Allows concurrent execution
- TARGET – Specifies discovery locations
- CONSOLE – Displays output
A JSON configuration block controls encryption, including the RSA public key, file extensions (typically .FOG or .FLOCKED), ransom note names, and service shutdown instructions. File discovery uses Windows APIs like FindFirstVolume and FindFirstFile with Unicode variants.
The encryption routine uses a thread pool scaled to system processors, ranging from two to sixteen, and applies CryptImportKey and CryptEncrypt before renaming files and writing ransom notes. Finally, vssadmin.exe delete shadows /all /quiet removes volume shadow copies, preventing backup recovery.
Tools Observed in Attacks
| Tool | Purpose |
|---|---|
| PsExec | Execute processes on other systems for lateral movement |
| Metasploit | Penetration testing framework detected against Veeam servers |
| SoftPerfect Network Scanner | Identify network services across targeted systems |
| Advanced Port Scanner | Discover accessible network services |
| SharpShares v2.3 | Enumerate accessible network shares |
| Veeam-Get-Creds.ps1 | Extract passwords from Veeam Backup and Replication Credentials Manager |
Mitigation and Defense Recommendations
Organizations are advised to:
- Secure VPN infrastructure and enforce multi-factor authentication
- Maintain offline and off-site backup systems
- Deploy defense-in-depth strategies across endpoints and servers
The campaign appears financially motivated, with rapid encryption and no evidence of data exfiltration. This suggests attackers aim for quick ransom payouts rather than complex extortion schemes using public leak sites.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
