The Fog ransomware operation emerged in early May 2024, targeting educational institutions in the U.S. Arctic Wolf Labs discovered the operation, noting its use of compromised VPN credentials for network breaches. Though not initially observed stealing data, Fog ransomware uses double-extortion tactics, leveraging stolen data to pressure victims into paying ransoms.

Initial Access and Compromised VPN Credentials

Compromised VPN Credentials

Fog operators gain initial access via compromised VPN credentials from two different VPN gateway vendors. This access method is crucial for infiltrating victim networks. Forensic evidence from Arctic Wolf Labs indicates threat actors accessed environments by leveraging these compromised credentials, with the last known activity on May 23, 2024.

Pass-the-Hash and Credential Stuffing

After gaining access, Fog operators employ "pass-the-hash" attacks on administrator accounts to establish RDP connections to Windows servers running Hyper-V. In other instances, credential stuffing is used to hijack valuable accounts. PsExec is then deployed across multiple hosts to facilitate further penetration.

Disabling Defenses and Encryption

Disabling Windows Defender

On Windows servers, Fog operators disable Windows Defender to prevent detection and alerts. This step is crucial to avoid early detection and ensure successful encryption of files.

System Information and Multi-Threaded Encryption

The ransomware gathers system information via Windows API calls, such as the number of logical processors. This data is used to allocate threads for a multi-threaded encryption routine. The ransomware terminates a list of processes and services from a hardcoded configuration before starting encryption.

Encryption Process

Fog ransomware targets VMDK files in VM storage, deletes backups from Veeam, and removes Windows volume shadow copies to hinder recovery. Encrypted files are appended with the '.FOG' or '.FLOCKED' extension, configurable via a JSON-based configuration block.

Ransom Note and Negotiation

Ransom Note Creation

A ransom note named "readme.txt" is created in impacted directories, providing payment instructions. The note includes a link to a Tor dark website for negotiation, featuring a basic chat interface for victims to discuss ransom demands and view stolen files.

Tor Negotiation Site

The Tor site is used for both '.FOG' and '.FLOCKED' extensions. In observed attacks, ransom demands ranged from hundreds of thousands of dollars, potentially higher for larger organizations.

Technical Details and Indicators of Compromise

Ransomware Payload Analysis

The Fog encryptor binary exhibits common techniques seen in other ransomware variants. It creates a log file, DbgLog.sys, in the %AppData% directory, documenting status and error conditions during execution.

Initialization Routine

During initialization, the ransomware references NTDLL.DLL and the NtQuerySystemInformation function to gather system information, particularly the number of logical processors. This step is vital for configuring the encryption thread pool.

Command Line Arguments

The ransomware checks for specific command line arguments:

• NOMUTEX: Allows multiple instances of the ransomware to run simultaneously.
• TARGET: Specifies the location to begin encryption.
• CONSOLE: Creates a new console window for output and error display.

JSON-Based Configuration

The ransomware uses a JSON-based configuration block for customization, including:

• RSAPubKey: Embedded public key for encryption.
• LockedExt: Post-encryption file extension.
• NotefileName: Name of the ransom note.
• ShutdownProcesses and ShutdownServices: Lists of processes and services to terminate before encryption.

Encryption Routine

Using gathered system information, the ransomware configures a thread pool for file encryption. It uses deprecated Windows APIs CryptImportKey and CryptEncrypt during the process. After encryption, it appends the configured file extension and creates the ransom note.

Deletion of Volume Shadow Copies

The ransomware deletes volume shadow copies using the command:

vssadmin.exe delete shadows /all /quiet

This ensures that all shadow copies are deleted silently, preventing recovery.

Tactics, Techniques, and Procedures (TTPs)

Initial Access

• T1133: External Remote Services
• T1078: Valid Accounts
  • Compromised VPN Credentials

Discovery

• T1046: Network Service Discovery
  • Tools: SoftPerfect Network Scanner, Advanced Port Scanner
• T1135: Network Share Discovery
  • Tool: SharpShares

Lateral Movement

• T1021: Remote Services
  • Sub-techniques: Remote Desktop Protocol (RDP), SMB/Windows Admin Shares
• T1570: Lateral Tool Transfer
  • Tool: PsExec

Credential Access

• T1003: OS Credential Dumping
  • Sub-technique: NTDS
• T1555: Credentials from Password Stores
  • Tool: Veeam-Get-Creds.ps1
• T1110: Brute Force
  • Sub-technique: Credential Stuffing

Persistence

• T1136: Create Account
  • Sub-technique: Local Account (Administrator)

Execution

• T1059: Command and Scripting Interpreter
  • Sub-technique: Windows Command Shell
• T1569: System Services
  • Sub-technique: Service Execution (PsExec)

Defense Evasion

• T1562: Impair Defenses
  • Sub-technique: Disable or Modify Tools (Windows Defender/AV)
• T1550: Use Alternate Authentication Material
  • Sub-technique: Pass the Hash
• T1078: Valid Accounts
• T1140: Deobfuscate/Decode Files or Information
• T1070: Indicator Removal
  • Sub-technique: File Deletion

Impact

• T1486: Data Encrypted for Impact
• T1490: Inhibit System Recovery
  • Tool: vssadmin.exe
• T1489: Service Stop

Tools Used

PsExec

PsExec allows execution of processes on other systems with full interactivity for console applications. Fog operators use PsExec for lateral movement and command execution.

Metasploit

Metasploit is a penetration testing framework. Its use was detected against a Veaam server in Fog ransomware attacks.

Network Scanners

SoftPerfect Network Scanner

A network administration tool used to discover network services.

Advanced Port Scanner

A free network and port scanner used to identify network services.

SharpShares

An open-source tool for enumerating accessible network shares, used by Fog operators to discover network shares.

Veeam-Get-Creds.ps1

An open-source PowerShell script used to obtain passwords from the Veeam Backup and Replication Credentials Manager.

Indicators of Compromise (IoCs)

File Hashes

• SHA1: f7c8c60172f9ae4dab9f61c28ccae7084da90a06 (Fog ransomware binary lck.exe)
• SHA1: 507b26054319ff31f275ba44ddc9d2b5037bd295 (Fog ransomware binary locker_out.exe)
• SHA1: e1fb7d15408988df39a80b8939972f7843f0e785 (Fog ransomware binary fs.exe)
• SHA1: 83f00af43df650fda2c5b4a04a7b31790a8ad4cf (Fog ransomware binary locker_out.exe)
• SHA1: 44a76b9546427627a8d88a650c1bed3f1cc0278c (Fog ransomware binary mon.dll)
• SHA1: eeafa71946e81d8fe5ebf6be53e83a84dcca50ba (PsExec psexesvc.exe)
• SHA1: 763499b37aacd317e7d2f512872f9ed719aacae1 (Advanced Port Scanner advanced_port_scanner.exe)
• SHA1: 3477a173e2c1005a81d042802ab0f22cc12a4d55 (Advanced Port Scanner advanced_port_scanner_2.5.3869.exe)
• SHA1: 90be89524b72f330e49017a11e7b8a257f975e9a (SharpShares sharpshares(1).exe)

Hostnames

• DESKTOP-7G1IC87
• Kali
• VPS65CCB8B75352
• PACKERP-VUDV41R

Filenames

• readme.txt: Ransom note
• DBgLog.sys: Log file created by ransomware binary
• Veeam-Get-Creds.ps1: PowerShell script for obtaining Veeam credentials
• PSEXESVC.exe: PsExec
• netscan.exe: SoftPerfect Network Scanner

File Extensions

• .fog: Appended file extension to encrypted files
• .flocked: Appended file extension to encrypted files

IP Addresses

• 5.230.33[.]176
• 77.247.126[.]200
• 107.161.50[.]26

Detection Opportunities

PowerShell Script Detection

The Veeam-Get-Creds.ps1 script includes specific strings:

• [System.Security.Cryptography.ProtectedData]::Unprotect
• [System.Security.Cryptography.DataProtectionScope]::LocalMachine
• SqlDatabaseName

Detecting these strings in PowerShell script block logging can identify the use of this tool.

Arctic Wolf's Protection Measures

Arctic Wolf has implemented threat intelligence

, continuous network monitoring, and advanced logging to detect and respond to Fog ransomware attacks. Detection opportunities lie in identifying abnormal network activities, especially those involving VPN gateways and administrative account logins.