How’s it going there, friends in healthcare and cybersecurity in the Bay area? I trust you’re gearing up for the new challenges that come with our line of work. Lately, we’ve seen an obvious increase in ransomware attacks, right? The old hits like Akira, LockBit, and BlackBasta are still playing hoofbeats in our heads even as new variants are created and launched at alarming frequency.
We’ve recently gone up close with one such newcomer – Fog ransomware. This nasty little bug first emerged in May 2024, and has been wreaking havoc in the education sector, predominantly in the United States. Scarily, it uses compromised VPN credentials to slink into organization networks.
By June, we had several firsthand encounters with Fog across different networks. The startling fact is how swiftly it operates. From access to encryption, the fastest we saw was two hours – yikes!.
So, what’s the typical Fog attack look like, you ask? It comprises key stages like enumeration, lateral movement, encryption, and data exfiltration. Overwhelming? Perhaps, but we aren’t helpless against it. With strategies like quarantining affected devices and blocking suspicious external connections, we’ve been able to halt these attacks early on.
But let’s look at cases without these measures, where the attack isn’t stopped until the customer hears the alarm and steps in. That’s when it gets scary. The attackers first access networks through compromised VPN credentials, then dive into suspicious activities like file shares, enumeration, and extensive scanning. In one case, a domain controller was making outgoing instances—an NTLM hash that could lead to unintended access by the attacker.
Interestingly, ticking off the checklist for standard ransomware shenanigans, Fog sets up command-and-control (C2) communication. They use remote access tools like AnyDesk and SplashTop to help them hide in plain sight. This makes identifying malicious activities all the more challenging.
And, of course, reconnaissance is part of the game too. Affected devices frequently fail internal connections to other locations over ports such as 80 (HTTP), 3389 (RDP), 139 (NetBIOS), and 445 (SMB). This points towards a pattern typical of reconnaissance scanning behavior.
The attackers then embark on a lateral movement through networks, with RDP being the common “vehicle” for the journey. As they go deeper into the networks, they engage in a flurry of SMB read and write activities. Soon enough, the “.flocked” extension begins to appear on internal share drive file names—a sure sign of ransomware encryption.
To rub salt into the wound, the attackers distribute ‘readme.txt’ files across the network. These include details about the Fog ransomware group, the encryption activities carried out, and instructions on how to negotiate the ransom. Talk about being bold!
Some daring cases show potential data exfiltration (remember double extortion?). These transfer internal files to questionable endpoints, threatening to publicly expose it if the ransom is not paid on time.
Now, education organizations are a particularly high-risk for these malicious activities. Often, their cyber defenses aren’t as robust, and they have periods where infrastructure goes unmonitored.
Going strong, Fog necessarily reminds us to up our game big time. Traditional security methods might falter in the face of Fog and its ilk. But what wouldn’t? AI-driven defensive strategies. This doesn’t only detect the first signs of compromise rapidly; it is also brilliant at analyzing and addressing unusual activities.
Stay tuned for more updates from the arena. The Bay area weather might be unpredictable, but we sure are not. Let’s continue to keep our defenses sturdy and our spirits high. Stay safe, cyber warriors!
by Morgan Phisher | HEAL Security