Executive Summary

Fog ransomware is a relatively new ransomware family first discovered in June 2024. Beazley Security has assisted some targeted organizations with response and recovery, and gained some insights about this new ransomware family and their related operations. Generally, Fog cases are not as numerous or frequent as other more established ransomware families, but this may change as their operations mature. Most of the victim organizations are in the education sector with majority of them being located in the United States.

We are sharing information about this emerging variant to help organizations protect themselves against this threat. Please be aware that we may update this article with additional details as our ongoing investigation continues.

FOG ransomware was first detected in May 2024, and they had no dark web leak site in the early stages of the activity. A thorough write-up of some initial Fog infection cases was reported in a blog from Arctic Wolf. They negotiated with victims on dark web chat pages listed in the ransom notes they left. In mid July, a dark web leak site was discovered where seven victims were posted in the creation of the website.

Fog leverages compromised VPN credentials to attack vulnerable networks and gain initial access into the network. Once they get inside the network, they perform "Pass-the-hash" attacks in the network. A "Pass-the-Hash" attack occurs when an adversary intercepts a hashed user credential and leverages it to initiate a new session within the same network. Following this, the attacker may employ tools like SharpShares to facilitate the discovery and enumeration of accessible network shares. Once successful, they establish a Remote Desktop Protocol (RDP) connection to a Windows server running Hyper-V and Veeam. If they are unsuccessful with "Pass-the-hash" attacks we have observed them using credential stuffing, which allowed them to laterally move throughout the environment. Regardless of the specific lateral movement technique employed, PsExec was deployed across multiple systems, and RDP was utilized to access the targeted machines.

FOG ransomware is known for encrypting files, including virtual machine storage, and disabling security defenses such as Windows Defender prior to initiating its encryption process. The malware appends a ".fog" or ".flocked" extension to the encrypted files and virtual machine disk (VMDKs) and generates a ransom note in the form of a text file named "readme.txt." This file contains instructions for victims on how to contact the attackers through a Tor-based negotiation site to discuss ransom payments. Besides for a unique chat code that is left in the "readme.txt", reason notes that we have observed are all identical.

Technical Details

The initial report on Fog from Arctic Wolf lists a few executable file hashes, and at time of writing only one was publicly available in VirusTotal. Fortunately VirusTotal also provides many ways to pivot searches, and we were able to find several more samples. Some AV vendors have detection logic that will tag samples with searchable malware names:

(ahnlab_v3:fog or microsoft:fog or gdata:fog or trendmicro_housecall:fog or trendmicro:fog or alibabacloud:fog or symantec:fog) fs:2020-01-01+

Which yielded the following samples:

We then decided to study these samples closer to see if there were more methodical ways to find and identify this ransomware family. To start, we noticed that the debug log system in Fog reported by Arctic Wolf isn't hidden or obfuscated and can be seen at a surface level:

This means the logging strings can be used as a reliable Yara rule. Then, from a behavioral standpoint, we studied in particular this section of code where Fog parses the command line, then loads internal configuration:

We noticed that Fog will quietly exit out if no parameters are passed, but will log debug messages to a dropped file named DbgLog.sys. This means any sandbox analysis of a Fog sample (like VirusTotal provides) may not exhibit ransom behavior if no parameters are passed, but the dropping of the debug log file will work as a malware corpus search, or a threat hunt. This type of search, paired with the Yara rule mentioned above, both leveraged in VirusTotal yielded the following additional 12 Fog samples:

This was more than enough samples to start studying them as a group, so we started looking for similarities and differences between all these samples. VirusTotal provides a very helpful feature where you can select a group of files and show byte patterns that are present in multiple files in your selection. After some time, we identified four byte patterns that showed up in the seven samples we were comparing. A search through the code revealed those byte patterns to be related to the part of the Fog locker code that unpacks its internal configuration settings into memory.

The four byte patterns that show up in this small but important section of code can function as a sort of fingerprint for identifying Fog samples, so we created a Yara rule and are using it to monitor VirusTotal submissions for new Fog samples.

Interestingly, this rule also started detecting the Fog unlockers, which at time of writing, are not tagged by AV vendors as Fog samples. Generally, if a company pays the ransom in order to get an unlocker to free their data, they will not show up in the Fog leak site. Tracking these unlockers is also useful, as it can give us a rough (but imperfect) sense of possible non-public Fog cases in the wild. Below is a list of the unlockers this search rule has found:

Timeline

As of 10-22-2024 FOG has published 32 different companies, releasing this leak data on their blog.