Fog Ransomware Group Claims University of Oklahoma Data Breach, Exfiltrates 91GB of Data

• The notorious Fog Ransomware gang listed a new victim on its dark web page on January 14, estimating the data trove size at 91GB. 
• The hackers claim to have stolen sensitive data such as employee contact details and financial records.
• What’s more, the exfiltrated information reportedly includes contact details belonging to state senators.

The University of Oklahoma has reportedly fallen victim to a cybersecurity attack claimed by the Fog ransomware group, who advertised allegedly exfiltrating 91GB of sensitive data belonging to employees and senators.

The hackers say the stolen data includes employee contact information, financial records (such as audits, payment details, and reports), and contact details for state senators.

If the Fog ransomware group's claim is confirmed, the breach at the University of Oklahoma raises concerns over growing cybersecurity challenges for academic institutions.   

Fog ransomware, which appends the ".flocked" extension to encrypted files, was first identified in May 2023 in campaigns linked to Storm-0844, a threat actor known for deploying Akira ransomware. 

Notably, by June 2023, Storm-0844 shifted its preference from Akira to deploying Fog in its operations. 

Fog has increasingly targeted higher education institutions in the U.S., leveraging compromised VPNs as an entry point. This marks a concerning trend for ransomware operations, which are focusing more on educational institutions due to their extensive databases of sensitive information and, in some cases, comparatively weaker cybersecurity defenses. 

Before directing its efforts toward Fog ransomware, Storm-0844 gained notoriety with Akira ransomware, which proved devastating to businesses and critical infrastructure organizations in North America, Europe, and Australia. 

By January 2024, Akira's operations had affected over 250 organizations and generated an estimated $42 million in ransomware earnings. The pivot to Fog demonstrates an evolving strategy, with the group now concentrating on organizations such as universities that may present easier targets for specific exploits, including poorly secured VPN configurations. 

Groups such as Akira and Fog were seen abusing the now-patched critical security vulnerability in Veeam Backup & Replication (VBR) servers that allow remote code execution. Unauthenticated third parties could exploit the vulnerability attributed to the deserialization of untrusted data weakness.