A new strain of ransomware has been detected that uses compromised VPN credentials to gain access to their victims’ endpoints.
Arctic Wolf researchers, who began tracking the ransomware variant in early May 2024, dubbed it Fog, with victims primarily being educational organizations in the US, with other notable examples falling in the recreation industry.
So far, Arctic Wolf has observed the attackers using compromised VPN credentials from at least two gateway vendors: “In each of the cases examined, forensic evidence indicated that threat actors were able to gain access to victim environments by using compromised VPN credentials .” explained. “Notably, the remote access was via two separate VPN gateway vendors. The last documented threat activity in our cases occurred on May 23, 2024.”
Steal data
After compromising the network, the attackers attempt to gain access to valuable accounts, including accounts that can establish Remote Desktop Protocol (RDP) connections. They then try to disable Windows Defender and lay the groundwork for deploying the encryptor.
Fog will also encrypt VMDK files in Virtual Machine (VM) storage and delete backups from object storage in Veeam and Windows volume shadow copies. The encrypted files carry the .FOG extension. Finally, the ransomware leaves a note, instructing victims how to contact them and attempt to decrypt the system.
Arctic Wolf found no evidence that the threat actors exfiltrated sensitive data before running the encryptor, but BleepingComputer says this is the case. In fact, the ransom note contains a link to a dark Tor website where the threat actors share samples of stolen data with the victims, proving that they had in fact captured sensitive files.