Fog Ransomware Goes Global, Disrupting U.S. and Australian Sectors

Fog Ransomware Goes Global, Disrupting U.S. and Australian Sectors

Threat Group: FOG
Threat Type: Ransomware
Exploited Vulnerabilities: Compromised VPN credentials, Windows system vulnerabilities
Malware Used: FOG Ransomware (Variant of STOP/DJVU)
Threat Score: High (8.5/10) – due to its rapid file encryption, expanding target range, and recent pivot towards data exfiltration for double extortion.
Last Threat Observation: October 21, 2024, affecting educational, recreational, and corporate sectors in the United States and Australia.


Overview

FOG ransomware, a relatively new threat actor identified in May 2024, has gained momentum and is rapidly evolving. Initially focusing on U.S. educational institutions, it has now expanded its operations internationally, including high-profile cases like the recent breach of Ultra Tune, a large Australian automotive franchise. Fog’s methodology involves leveraging compromised VPN credentials to infiltrate networks, disable security mechanisms, and encrypt files using strong cryptographic algorithms. In addition to encrypting data, the group now employs double extortion tactics, threatening to leak sensitive data on its dark web blog if ransom demands are not met.

Key Details

  • Delivery Method: Gained access via compromised VPN credentials, privilege escalation using pass-the-hash, and brute-force attacks.
  • Target: Educational institutions, recreational centers, automotive companies, and corporate sectors in the United States and Australia.
  • Recent Incidents:
    1. Ultra Tune (Australia): The group claimed responsibility for exfiltrating 3GB of sensitive data, including employee records, customer information, driver’s licenses, passports, and more.
    2. Cordogan Clark and Associates and Fromm Beauty have also been listed on Fog's dark web leak site as victims.
  • Functions:
    1. Encrypts files using Windows CryptoAPI, particularly targeting Virtual Machine Disks (VMDKs).
    2. Deletes backups and volume shadow copies, disables security tools such as Windows Defender, and terminates processes to evade detection.
    3. Recent attacks utilize MITRE ATT&CK techniques, including network share discovery, file encryption, and system recovery inhibition.
    4. Leaves ransom notes with instructions for negotiations via Tor.
    5. Employs double extortion tactics by posting stolen data on a newly launched leak site.
  • Obfuscation: Uses dynamically loaded APIs, encrypted configuration files, and multi-threading to increase the speed of encryption and hinder detection.

Attack Vectors

FOG ransomware uses compromised VPN credentials to gain initial access to victim networks. It escalates privileges using techniques like pass-the-hash, disabling security measures such as Windows Defender, and terminating services like backup systems. FOG encrypts files using strong cryptographic algorithms, appending extensions such as .FOG or .FLOCKED to the encrypted files. It deletes volume shadow copies to prevent recovery. The ransomware now includes a dark web leak site where exfiltrated data is posted if the ransom is not paid.

Known Indicators of Compromise (IoCs)

  • File Hashes (MD5):
    • 617d79c02ebac68b613d5b7cdbf001fd
  • File Hashes (SHA1):
    • 44a76b9546427627a8d88a650c1bed3f1cc0278c
    • 507b26054319ff31f275ba44ddc9d2b5037bd295
    • 83f00af43df650fda2c5b4a04a7b31790a8ad4cf
    • e1fb7d15408988df39a80b8939972f7843f0e785
    • f7c8c60172f9ae4dab9f61c28ccae7084da90a06
  • File Hashes (SHA256):
    • e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3
  • Domains:
    • xbkv2qey6u3g3dqxcoyjnrt4h5sgrhkar6whuo74wo63hijnn677jnyd[.]onion (Dark web leak site for exfiltrated data)

Mitigation and Prevention

  • User Awareness: Conduct regular security training, emphasizing phishing and VPN security protocols.
  • Email Filtering: Implement strong email filtering solutions to block phishing emails.
  • Endpoint Security: Utilize advanced Endpoint Detection and Response (EDR) tools to detect anomalous behavior, including process termination and encryption patterns.
  • Two-Factor Authentication (2FA): Mandate 2FA for all remote access services, particularly VPNs, to limit unauthorized access.
  • Monitor Logs: Continuously monitor and analyze logs for unusual activity, particularly related to privileged accounts and remote access.
  • Regular Updates: Ensure all VPN and remote access infrastructure are patched promptly to mitigate vulnerabilities.

Conclusion

FOG ransomware is a fast-growing and dangerous threat, targeting critical sectors across the U.S. and Australia. Its recent adoption of double extortion tactics increases the pressure on victims to pay ransoms, threatening both data encryption and public data leaks. Organizations should focus on bolstering VPN security, improving user awareness, and maintaining strong backups and incident response strategies to mitigate the risk of this ransomware.


Sources

  1. Cyber Daily: Exclusive: Major Australian mechanic Ultra Tune suffers alleged cyber attack
  2. AlienVault: Fog Ransomware – Technical Analysis
  3. Arete: Malware Spotlight: Fog Ransomware
  4. Kroll:, FOG Ransomware Targets Higher Education