What is Fog Ransomware?
Emerging in late 2022, Fog Ransomware swiftly became a significant threat in the cybercrime world. This stealthy malware uses a double extortion tactic: it encrypts a victim’s data and threatens to leak it on the dark web if the ransom isn't paid.
While its origins are somewhat mysterious, security researchers suspect a link to a cybercriminal group based in Eastern Europe. The group's past activities indicate a high level of sophistication in developing and deploying malware, making Fog a particularly dangerous adversary.
Figure 1: Screenshot of Leak Site used by Fog Ransomware
Fog ransomware runs a dark web data leak site to publicly shame victims who refuse to pay, pressuring them to comply. It disguises its ransom notes as innocuous files like "bidon_readme.txt" or "readme.txt," misleading victims into believing they can restore their data by paying a fee.
Figure 2: Screenshot of Ransom Note used by Fog Ransomware
However, this is just a deceptive tactic. Even after paying the ransom, there's no certainty that the data will be restored. In many instances, victims have no choice but to restore their systems and data from backups.
What are Tactics, Techniques, and Procedures (TTPs) of Fog Ransomware?
Fog ransomware doesn't just rely on brute force; it uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and compromise systems. Here’s a closer look at its malicious strategies:
- Phishing Attacks: Fog frequently uses deceptive emails to trick users into clicking on malicious links or downloading infected attachments. These emails are often disguised as legitimate business messages, increasing the likelihood that recipients will click on them.
- Exploiting Unpatched Vulnerabilities: The ransomware actively targets unpatched software and operating system vulnerabilities to gain unauthorized access to networks. This highlights the importance of keeping all systems up to date with the latest security patches.
- Remote Desktop Protocol (RDP) Exploitation: Like many ransomware strains, Fog can exploit weaknesses in RDP configurations. Misconfigured RDP settings, which allow remote access to computers, can be a gateway for attackers.
- Supply Chain Attacks: Fog often targets supply chains by compromising vendors or suppliers to gain access to multiple networks. By breaching one supplier, attackers can potentially reach a wide array of victims.
- Lateral Movement: Once Fog gains access to one system, it uses different tools to move across the network, infecting additional devices, escalating privileges, and potentially compromising critical systems.
- Data Exfiltration: Before encrypting files, Fog often steals sensitive data, such as financial records, personal information, or intellectual property. This exfiltrated data is then used as leverage to pressure victims into paying the ransom.
- Strong Encryption: Fog uses powerful encryption algorithms to lock files, making it nearly impossible to access them without the decryption key. This cripples the victim's operations until a ransom decision is made.
What is the Kill Chain of Fog Ransomware?
Figure 3: Fog Ransomware Kill Chain
Fog Ransomware follows a structured kill chain, beginning with initial access through remote services or valid accounts, followed by network discovery for lateral movement and spreading via tool transfers. It steals credentials through various techniques, establishes persistence by creating user accounts, and executes attacks using legitimate-looking processes.
|
Indicators
|
Indicator Type
|
Description
|
|
hxxps://xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion/ hxxp://xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion hxxp://xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd.onion/posts
|
URLs (Onion)
|
Leak Site
|
|
f7c8c60172f9ae4dab9f61c28ccae7084da90a06 507b26054319ff31f275ba44ddc9d2b5037bd295 e1fb7d15408988df39a80b8939972f7843f0e785 83f00af43df650fda2c5b4a04a7b31790a8ad4cf 44a76b9546427627a8d88a650c1bed3f1cc0278c eeafa71946e81d8fe5ebf6be53e83a84dcca50ba 763499b37aacd317e7d2f512872f9ed719aacae1 3477a173e2c1005a81d042802ab0f22cc12a4d55 90be89524b72f330e49017a11e7b8a257f975e9a
|
Hash
|
Malicious Files
|
Table: Fog Ransomware Indicators of Compromise (IOCs)
Défense evasion is a priority, aiming to disable security measures and leverage valid credentials. Finally, Fog encrypts data, deletes backups to hinder recovery, and stops critical services, maximizing impact and coercing victims into paying the ransom. This methodical approach is designed to maximize damage and evade detection, making it a significant threat.
How does Red Piranha Detect and Prevent attacks of Fog Ransomware?
Red Piranha’s Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR) platform utilizes a multi-layered defence strategy to effectively detect and prevent the tactics, techniques, and procedures (TTPs) used by Fog Ransomware. By leveraging advanced threat intelligence, machine learning, proactive monitoring, and Zero Trust principles, the platform covers every stage of Fog's kill chain, ensuring rapid detection and robust prevention.
Crystal Eye monitors email traffic for malicious attachments, links, and patterns consistent with phishing. The system uses heuristic and machine learning-based detection to identify and flag deceptive emails disguised as legitimate business messages.
By integrating threat intelligence feeds, Crystal Eye automatically blocks phishing emails before they reach users, preventing Fog from gaining initial access through deceptive tactics. Additionally, the platform supports user awareness and training initiatives, which help in reducing the likelihood of users falling victim to these deceptive tactics.
The platform actively scans for software vulnerabilities and unpatched systems across the network. It identifies known weaknesses in operating systems and software that Fog may exploit. Crystal Eye integrates with patch management processes to recommend and automate patching of critical vulnerabilities. This reduces the exposure to Fog’s exploitation methods and keeps systems up to date with the latest security patches.
Crystal Eye monitors RDP connections for anomalous behaviour, such as unauthorized login attempts, unusual access patterns, or brute-force activities. These detections are correlated with known attack signatures to ensure timely alerting.
By enforcing strict RDP policies, including multi-factor authentication, IP whitelisting, and session monitoring, Crystal Eye reduces the chances of successful RDP-based attacks. It also identifies misconfigured RDP settings in real time, preventing attackers from exploiting these weaknesses.
Red Piranha’s solution monitors inbound and outbound network traffic to detect unusual or suspicious activities from third-party vendors or partners. Anomalous communications are flagged, and alerts are generated to help contain any threat that might come from a compromised supply chain.
The Zero Trust principles built into Crystal Eye enforce strict access controls, segmenting and isolating critical systems. This segmentation limits the attack surface and exposure to any breach originating from compromised suppliers, reducing Fog’s ability to gain lateral access through supply chains.
Crystal Eye employs behavioural analytics and machine learning to detect lateral movement within the network, identifying abnormal access patterns, privilege escalation, and the use of legitimate tools for malicious activity. It leverages its network detection and response (NDR) capabilities to analyse East-West traffic for signs of Fog’s movement. Additionally, Crystal Eye’s IDPS identifies and counters lateral movement using network traffic analysis, anomaly detection, and response mechanisms.
It enforces micro-segmentation to limit lateral movement and uses access control policies to restrict privilege escalation, ensuring that Fog cannot easily infect additional devices.
Next, it continuously monitors for unusual outbound traffic and large data transfers, which are indicative of data exfiltration attempts. The platform’s anomaly detection identifies uncommon protocols or encrypted channels used by Fog to steal data.
The system can automatically block or quarantine data exfiltration channels in real-time, preventing sensitive information from being transmitted out of the network. By applying network segmentation and access control, it further reduces the risk of data being accessed and exfiltrated.
Crystal Eye’s heuristics and machine learning algorithms detect mass file modifications, rapid encryption activities, and spikes in system resource usage. These indicators are typically associated with ransomware activities and trigger immediate alerts for containment.
By leveraging automated response actions, Crystal Eye halts encryption processes, prevents backup deletion, and keeps critical services intact to ensure operational continuity.
Does detecting malicious activity pose a significant challenge for your organisation?
Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.
Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.