| Category | Details |
|---|---|
| Threat Actors | Fog ransomware group |
| Campaign Overview | Emerged in May 2024; targets the education sector in the U.S. using compromised VPN credentials. |
| Target Regions | Primarily education institutions in the United States. |
| Methodology | Exploits VPN credentials, lateral movement via RDP and SMB, use of tools like AnyDesk, SplashTop, and Nmap for reconnaissance. |
| Product Targeted | VPNs, domain controllers, Windows servers running Hyper-V, internal SMB shares, MEGA for exfiltration. |
| Malware Reference | Appends files with .flocked extension; ransom notes named readme.txt. |
| Tools Used | AnyDesk, SplashTop, Nmap, Responder; utilizes legitimate tools for C2 communication and reconnaissance. |
| Vulnerabilities Exploited | Compromised VPN credentials, NTLM relay attacks, use of SMB and RDP for lateral movement. |
| TTPs | Double extortion (encryption and data exfiltration), quick encryption (2 hours), NTLM hash relay attacks, use of admin credentials. |
| Attribution | Fog ransomware group, possibly leveraging known techniques used by Akira, LockBit, and BlackBasta. |
| Recommendations | Enable autonomous response tools, monitor for unusual SMB and RDP activity, secure VPN credentials, block outbound traffic to cloud storage. |
| Source | Darktrace |
Read full article: Lifting the Fog: Darktrace’s Investigation into Fog Ransomware | Darktrace Blog
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply