New Fog ransomware targets schools via hacked VPNs

A new encryptor was spotted targeting schools

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new ransomware strain has been detected using compromised VPN credentials to access their victims’ endpoints.

Researchers at Arctic Wolf, who started tracking theransomwarevariant in early May 2024, named it Fog, with its victims mostly educational organizations in the US, with other notable examples falling in the recreation industry.

So far, Arctic Wolf observed the attackers using compromised VPN credentials from at least two gateway vendors: “In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials,” Arctic Wolfexplained. “Notably, the remote access occurred through two separate VPN gateway vendors. The last documented threat activity in our cases occurred on May 23, 2024.”

Stealing data

Stealing data

After compromising the network, the attackers try to gain access to valuable accounts, including those capable of establishing Remote Desktop Protocol (RDP) connections. Then, they look to disable Windows Defender and set the ground for the deployment of the encryptor.

Fog will also encrypt VMDK files in Virtual Machine (VM) storage, and will delete backups from object storage in Veeam and Windows volume shadow copies. The encrypted files carry the .FOG extension. Finally, the ransomware will drop a note, instructing the victims on how to get in touch and try to decrypt the system.

Arctic Wolf did not find evidence of the threat actors exfiltrating sensitive data before running the encryptor, butBleepingComputersays this is the case. In fact, the ransom note contains a link to a Tor dark website where the threat actors share samples of stolen data with the victims, proving that they had, in fact, grabbed sensitive files.

More from TechRadar Pro

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)