The Fog ransomware group has significantly increased its attack frequency and is now focusing on more lucrative sectors in its relentless pursuit of financial gain. This shift may position them as one of the more prominent cybercrime organizations, according to insights shared by incident responders from Adlumin.
Recently, the Adlumin incident response team assisted an unnamed mid-sized financial services firm in the U.S. during an attempted Fog ransomware attack that targeted data on both Windows and Linux endpoints. Fortunately, the attack was successfully thwarted thanks to Adlumin’s technology, which employs “decoy” files to identify ransomware activity on a network before it can execute. Within minutes, the affected systems were isolated, and the attackers were locked out.
Will Ledesma, senior director of managed detection and response at Adlumin, noted that this attack was particularly significant because it marked a shift in the Fog group’s traditional target selection. “Historically, the Fog Ransomware group has primarily attacked organizations in the education and recreational sectors, but now they are pursuing more profitable targets within the financial services industry,” he explained.
Fog is a variant of the STOP/DJVU ransomware family that has been around for about three years. Its typical attack begins with the use of compromised VPN credentials to breach network defenses. Once inside the victim’s network, it utilizes methods like pass-the-hash attacks to elevate its access to administrative levels. Additionally, the group employs tactics to dismantle cybersecurity defenses, including disabling security protections, early encryption of essential files like virtual machine disks (VMDKs), and deletion of backups to hinder recovery. Encrypted files are usually appended with the extensions .FOG or .FLOCKED, and, similar to other gangs, they use Tor for negotiations with victims.
Ledesma pointed out the absence of direct links to established threat actors, suggesting that Fog may originate from a new, highly skilled group. During the incident Adlumin responded to, investigators traced the entry point to an unprotected system with IP addresses linked to Moscow, although this does not definitively confirm the group’s origin.
The Arctic Wolf research team is also monitoring Fog and has noted an unusually short time frame between initial intrusion and encryption, deviating from typical ransomware behavior. In a June analysis, they indicated that “the threat actors seem more focused on a quick payout rather than executing a complex attack involving data exfiltration and high-profile leaks.” However, it’s important to recognize that the group does operate a leak site.
These observations align with Adlumin’s assessment that the Fog group is now targeting more financially rewarding opportunities, having previously specialized in attacks on educational institutions. As a result, it’s essential for corporate defenders to remain vigilant about the rising threat posed by Fog, particularly by ensuring the security of off-site backup systems along with implementing robust defense-in-depth strategies.
For a more comprehensive analysis, including additional recommendations for detection and remediation, Ledesma’s complete write-up for Adlumin is available here.