Summary
On 2 May 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organisations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector.
We are sharing details of this emerging variant to help organisations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.
About Fog Ransomware
Starting in early May, the Arctic Wolf Incident Response team began investigating cases involving the deployment of the Fog ransomware variant against US organisations in the education and recreation sectors.
We refer to Fog as a ransomware variant rather than a group to distinguish between the entities responsible for creating the encryptor software and those conducting the hands-on-keyboard attacks against victims. This is a critical distinction because ransomware groups sometimes project an image of being a singular group when they are in fact composed of independent affiliate groups. At this time, the organisational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown.
In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials. Notably, the remote access occurred through two separate VPN gateway vendors. The last documented threat activity in our cases occurred on 23 May 2024.
Early in one of the cases, pass-the-hash activity was observed against administrator accounts which were subsequently used to establish RDP connections to Windows Servers running Hyper-V and Veeam. In another case, evidence of credential stuffing was observed, which was thought to facilitate lateral movement throughout the environment. In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts.
On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors. Threat actors were observed encrypting VMDK files in VM storage and deleting backups from object storage in Veeam. Threat actors left behind ransom notes on affected systems and deployed a functionally identical ransomware payload in all cases. Other than a unique chat code, the ransom notes were identical. Other than the .onion address used for communication between the victim and threat actor, we have not observed an additional dark web presence such as a data leak site.
Technical Analysis
Ransomware Payload
The ransomware encryptor binary exhibits common techniques that are typically leveraged in other ransomware variants. The samples we analysed from different cases contained many similarities, including identical functional code blocks and instructions, indicating that they were compiled from the same source code.
When the sample first executes, it attempts to create a new file called DbgLog.sys in the special directory %AppData%. The DbgLog.sys file is populated with log lines indicating the status and error conditions of the ransomware as each technique is executed.
During the initialisation routine, the sample references NTDLL.DLL and the function NtQuerySystemInformation. Notably, the NT API is part of the Windows internal APIs and is typically recommended not to be called directly since it can change with each version of Windows. The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available. This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.
Once the initialisation routine is complete, the command line arguments are checked for specific options:
- NOMUTEX: Does not create a mutex, this will allow multiple versions of the ransomware to execute at the same time.
- TARGET: Specific location to begin discovery.
- CONSOLE: Create a new console window for the calling process and attach the standard output and error.
Further customisation is present in the sample via a JSON based configuration block. The following configurable options will control what activities takes place pre and post encryption:
- RSAPubKey: Embedded public key used for encryption
- LockedExt: Post encryption file extension
- NotefileName: Name of the ransomware note
- ShutdownProcesses: Ensures the processes are terminated prior to encrypting
- ShutdownServices: Ensures the services are stopped prior to encrypting
Volumes, network resources, and files are discovered using the standard Windows APIs such as: FindFirstVolume, WNetOpenEnum and FindFirstFile. The Unicode variants of these functions were used in each case.
Using the system information discovered earlier, the sample configures a thread pool dedicated to encrypting all the discovered files. This thread pool uses the logical processor information with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and the CryptEncrypt are called during the process.
Once the encryption is complete, the file extension is added to each file using the Unicode version of the MoveFile Windows API and the LockedExt option, in the cases observed the extensions .FOG and .FLOCKED were configured. A ransom note is written to the disk using the configured Notefilename option located in the configuration block, in the cases observed the note file was named readme.txt.
Before the sample terminates, the volume shadow copy is deleted by creating a new process via the CreateProcess function with the command line: vssadmin.exe delete shadows /all /quiet. By deleting the volume shadow copy using the /all switch, the sample will delete all the specified volume’s shadow copies, and the /quiet switch will ensure no messages are displayed during the deletion.
Tactics, Techniques, and Procedures (TTPs)
| Tactic | Technique | Sub-techniques or Tools |
|---|---|---|
| Initial Access | T1133: External Remote Services | |
| T1078: Valid Accounts | • Compromised VPN Credentials | |
| Discovery | T1046: Network Service Discovery | • SoftPerfect Network Scanner • Advanced Port Scanner |
| T1135: Network Share Discovery | • SharpShares | |
| Lateral Movement | T1021: Remote Services | • T1021.001: Remote Desktop Protocol • T1021.002: SMB/Windows Admin Shares |
| T1570: Lateral Tool Transfer | • PsExec | |
| Credential Access | T1003: OS Credential Dumping | • T1003.003: NTDS |
| T1555: Credentials from Password Stores | • PowerShell script (Veeam-Get-Creds.ps1) to obtain passwords from the Veeam Backup and Replication Credentials Manager | |
| T1110: Brute Force | • T1110.004: Credential Stuffing | |
| Persistence | T1136: Create Account | • T1136.001: Local Account (Administrator) |
| Execution | T1059: Command and Scripting Interpreter | • T1059.003: Windows Command Shell |
| T1569: System Services | • T1569.002: Service Execution (PsExec) | |
| Defense Evasion | T1562: Impair Defenses | • T1562.001: Disable or Modify Tools (Windows Defender/AV) |
| T1550: Use Alternate Authentication Material | • T1550.002: Pass the Hash | |
| T1078: Valid Accounts | ||
| T1140: Deobfuscate/Decode Files or Information | ||
| T1070: Indicator Removal | • T1070.004: File Deletion | |
| Impact | T1486: Data Encrypted for Impact | |
| T1490: Inhibit System Recovery | • vssadmin.exe used to delete volume shadow copies on the system | |
| T1489: Service Stop |
Tools
| Name | Description |
|---|---|
| PsExec | A tool that allows threat actors to execute processes on other systems with full interactivity for console applications. The threat actor leveraged PsExec to move laterally and execute commands. |
| Metasploit | Penetration testing framework. Metasploit usage was detected against a Veaam server. |
| SoftPerfect Network Scanner | Network administration tool for Windows, macOS, and Linux. The threat actor used SoftPerfect to discover network services. |
| Advanced Port Scanner | Free network and port scanner. The threat actor used Advanced Port Scanner to discover network services. |
| SharpShares | An open-source tool used to enumerate accessible network shares. The threat actor used SharpShares v2.3 to discover network shares. |
| Veeam-Get-Creds.ps1 | An open-source PowerShell script used by the threat actor to obtain passwords from the Veeam Backup and Replication Credentials Manager |
How Arctic Wolf Protects Its Customers
Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers.
Arctic Wolf Labs has leveraged threat intelligence around Fog ransomware to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.
Conclusion
While few details are known about the threat actors involved, the shared functional code blocks between ransomware payloads suggest that the same source code was shared between the payloads. This may implicate the involvement of a common entity between the cases. On the other hand, despite similarities, evidence tying together the cases under a single threat actor is not conclusive.
The threat actors in the cases described here show an interest in rapid encryption of VM storage data and ransom payment for decryption of that data. Diverging from common practice in most ransomware intrusions, the threat actors were not observed to exfiltrate data from hosts being encrypted.
Considering the short duration between initial intrusion and encryption, the threat actors appear more interested in a quick payout as opposed to exacting a more complex attack involving data exfiltration and a high-profile leak site. This evidence, along with known victimology, suggests that the threat actors are financially motivated and primarily target the education sector.
Although the tactics employed in these cases are fairly typical of ransomware activity, these threats serve as a reminder of the importance of secure, off-site backup infrastructure and defense-in-depth to render attacks impotent as early as possible.
Appendix
Indicators of Compromise (IoCs)
| Indicator | Type | Description |
|---|---|---|
| f7c8c60172f9ae4dab9f61c28ccae7084da90a06 | SHA1 | Fog ransomware binary (lck.exe) |
| 507b26054319ff31f275ba44ddc9d2b5037bd295 | SHA1 | Fog ransomware binary (locker_out.exe) |
| e1fb7d15408988df39a80b8939972f7843f0e785 | SHA1 | Fog ransomware binary (fs.exe) |
| 83f00af43df650fda2c5b4a04a7b31790a8ad4cf | SHA1 | Fog ransomware binary (locker_out.exe) |
| 44a76b9546427627a8d88a650c1bed3f1cc0278c | SHA1 | Fog ransomware binary (mon.dll) |
| eeafa71946e81d8fe5ebf6be53e83a84dcca50ba | SHA1 | PsExec (psexesvc.exe) |
| 763499b37aacd317e7d2f512872f9ed719aacae1 | SHA1 | Advanced Port Scanner (advanced_port_scanner.exe) |
| 3477a173e2c1005a81d042802ab0f22cc12a4d55 | SHA1 | Advanced Port Scanner (advanced_port_scanner_2.5.3869.exe) |
| 90be89524b72f330e49017a11e7b8a257f975e9a | SHA1 | SharpShares (sharpshares(1).exe) |
| DESKTOP-7G1IC87 | Hostname | Threat actor’s hostname |
| Kali | Hostname | Threat actor’s hostname |
| VPS65CCB8B75352 | Hostname | Threat actor’s hostname |
| PACKERP-VUDV41R | Hostname | Threat actor’s hostname |
| readme.txt | Filename | Ransom note |
| DBgLog.sys | Filename | Log file created by ransomware binary |
| Veeam-Get-Creds.ps1 | Filename | PowerShell script used to obtain passwords from Veeam Backup and Replication Credentials Manager |
| PSEXESVC.exe | Filename | PsExec |
| netscan.exe | Filename | SoftPerfect Network Scanner |
| .flocked | File Extension | Appended file extension to encrypted files |
| .fog | File Extension | Appended file extension to encrypted files |
| 5.230.33[.]176 | IP Address | IP address used by the threat actor to login to VPN appliance |
| 77.247.126[.]200 | IP Address | IP address used by the threat actor to login to VPN appliance |
| 107.161.50[.]26 | IP Address | IP address used by the threat actor to login to VPN appliance |
Detection Opportunities
Endpoint
The Veeam-Get-Creds.ps1 PowerShell script includes the following strings:
[System.Security.Cryptography.ProtectedData]::Unprotect [System.Security.Cryptography.DataProtectionScope]::LocalMachine SqlDatabaseName
Detecting occurrences of all 3 strings in PowerShell script block logging may be able to identify usage of this tool.
As part of our Managed Detection and Response service, Arctic Wolf has detections in place for this technique, in addition to other techniques employed by this threat actor.
Additional Resources
Get forward-thinking insights along with practical guidance you can apply to your organization in the Arctic Wolf Labs 2024 Threat Report.
Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.
About Arctic Wolf Labs
Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.
Authors
Stefan Hostetler
Stefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.
Steven Campbell
Steven Campbell is a Lead Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Christopher Prest
Christopher is a Lead Security Researcher and a 17-year veteran in Software and Application security development, coupled with 2 years of cutting edge detection engineering and security research. A seasoned expert, Christopher focuses on Malware analysis and reverse engineering to shape the future of cybersecurity.
Connor Belfiore
Connor Belfiore is a Senior Threat Intelligence Analyst at Arctic Wolf Incident Response. He has more than five years of experience in threat intelligence, financial crimes investigation, and blockchain analysis.
Markus Neis
Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.
Joe Wedderspoon
Joe Wedderspoon is a Sr. Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 6 years of operational experience in incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors.
Rick McQuown
Rick McQuown is a senior forensic Analyst at Arctic Wolf Incident Response and a 22-year veteran of digital forensic investigations specializing in full disk image forensics. Over the years, Rick has trained hundreds of forensic practitioners in advanced forensics, including EnCase and Memory Forensics.
