A new ransomware operation has been performing old-fashioned ransomware attacks, locking up data in virtual environments to earn quick payouts. Researchers from Arctic Wolf first spotted the group they call "Fog" on May 2, according to a newly released report . Through May 23, Fog performed relatively standard-fare ransomware attacks: quickly infiltrating and encrypting data stored in virtualization environments, leaving a ransom note, but not exfiltrating anything.
Fog attacks typically begin with stolen virtual private network (VPN) credentials, an increasingly popular means of initial access into sizable organizations. The group has exploited two different VPN gateway vendors thus far, which Arctic Wolf has declined to name. In one case, for example, Fog passed the hash to compromise administrator accounts in its target's network.
It then used the accounts to establish a remote desktop protocol (RDP) connection with Windows servers running the Hyper-V hypervisor and Veeam data protection software. Other common Fog tactics, techniques, and procedures (TTPs) include credential stuffing, using native Windows and open source tools like Metasploit and PsExec, disabling Windows Defender, and using Tor to communicate with victims. Contrary to recent trends , Fog does not exfiltrate the data it encrypts.
It does not operate a leak site, perform double or triple extortion , or anything of the sort. "Considering the short duration between initial intrusion and encryption, the threat.
