New Ransomware Exploits Compromised VPNs to Target US Education and Recreation Sectors
- New Fog ransomware variant was discovered to target specific US sectors, 80% of them being in education.
- Threat actors were able to access victim environments by leveraging compromised VPN credentials.
- Unexpectedly, no data exfiltration was observed in these cases, suggesting the attacks were financially motivated.
The Arctic Wolf Incident Response team began investigating a new ransomware operation called Fog in early May. This variant targeted US organizations in the education and recreation sectors, 80% of which were in education, by threat actors accessing victim environments via credentials from breached VPNs.
Fog uses techniques common to other ransomware variants, indicating that they could have been compiled from the same source code. The investigated samples show the threat actors wanted to quickly encrypt VM storage data and obtain a fast payout to decrypt that data.
The report says that in some cases, the actors used administrator accounts to establish RDP connections to Windows Servers running Hyper-V and Veeam and facilitated lateral movement through credential stuffing. All cases presented PsExec deployment and the use of RDP/SMB to access targeted hosts. Notably, the remote access occurred through two unnamed VPN gateway vendors.
The malicious actors disabled Windows Defender on the Windows Servers they interacted with, encrypted VMDK files in Virtual Machine (VM) storage, deleted backups from object storage in Veeam, and deployed a functionally identical ransomware payload and the same ransom notes in all cases. However, no exfiltrated data from encrypted hosts ended up on the Dark Web.
During the process, a thread pool dedicated to encrypting all the discovered files is configured using the deprecated Windows APIs for CryptImportKey and CryptEncrypt. Once the encryption is complete, the ‘.FOG’ and ‘.FLOCKED’ file extensions are added to each file using the MoveFile Windows API and the LockedExt option, and a ‘.txt’ ransom note is written to the disk using the configured Notefilename option in the configuration block.
The researchers say the sample provides further customization via a JSON-based configuration block, while volumes, network resources, and files use standard Windows APIs such as FindFirstVolume, WNetOpenEnum, and FindFirstFile. Then, the volume shadow copy and all the specified volume’s shadow copies are deleted.
According to Verizon’s 2024 Data Breach Investigations Report, the educational services sector faced a significant threat from malware, hacking, and social engineering. In 2023, incidents reached 1,780, of which 1,537 involved confirmed data disclosure.