NEW RANSOMWARE VARIANT FOG LINKED TO AKIRA
Key Takeaways
Fog first emerged in April 2024
Links to Akira affiliate through infrastructure analysis
Double extortion (encryption and data exfiltration) is optional
Attack vector VPN gateways
What We Know About Fog
Fog emerged in April 2024 initially targeting the Education sector, however are now branching out into other sectors. Fog ransomware targets Microsoft Windows operating systems with the option to carry out file-based encryption on servers, endpoints, and network drives. Furthermore, Fog also maintains a ransomware binary for VMware ESXi hypervisors. During the encryption routine, “.flocked” (Windows) and “.fog” (ESXi) file extensions are appended to encrypted files, whilst a log file ‘DbgLog.sys’ and ransom notes ‘readme.txt’ are created during the encryption process.
The initial access attack vector focuses on VPN remote services leveraging compromised user accounts. Once authenticated, Fog conducts scanning, SMB enumeration and attempts privilege escalation including but not limited to CVE-2020-1472 (ZeroLogon).
Once access is gained to the domain, further reconnaissance is conducted in order to map out the IT network and identify file storage repositories. Data exfiltration has been identified in some matters via the usage of Rclone, where data has been transferred to external cloud storage providers such as MEGA.
Fog operators leverage the popular remote access tools AnyDesk and RustDesk for persistence, tool transfer and to maintain command and control over compromised hosts. To date, Kivu have only identified the usage of RustDesk by one other ransomware group - Akira.
Linking Fog to Akira
Having first emerged in March 2023, Akira’s Ransomware-as-a-service (RaaS) operation has quickly risen to being one of the most dominant programs currently active, conducting double-extortion on victims.
Through Kivu’s forensic investigations, threat actor negotiations and threat intelligence research involving both Akira and Fog, we have linked separate Fog and Akira incidents, based on infrastructure leveraged by the threat actor(s) during the unauthorized intrusions.
Currently it is not known whether an Akira affiliate is working for both Akira and Fog or whether Fog is a new variant established by the affiliate. However, throughout 2024 Kivu have observed more established RaaS groups splinter and affiliates migrate to less well known or new emerging independent ransomware groups. This is believed to be primarily due to the recent disruption action taken by the authorities targeting the more established ransomware groups such as ALPHV/BlackCat and LockBit.
Attack Tactics, Techniques & Procedures
Initial Access:
• T1078.001 - Valid Accounts: Default Accounts
• T1133 - External Remote Services
Execution:
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Persistence:
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1543.003 - Create or Modify System Process: Windows Service
Privilege Escalation:
• T1068 - Exploitation for Privilege Escalation
• T1098 - Account Manipulation
Defense Evasion:
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1036.004 - Masquerading: Masquerade Task or Service
• T1070.004 - Indicator Removal: File Deletion
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1622 - Debugger Evasion
Credential Access:
• T1003.003 - OS Credential Dumping: NTDS
• T1552.001 - Unsecured Credentials: Credentials In Files
Discovery:
• T1046 - Network Service Discovery
• T1135 - Network Share Discovery
Lateral Movement:
• T1021.001 - Remote Services: Remote Desktop Protocol
• T1021.002 - Remote Services: SMB/Windows Admin Shares
• T1021.004 - Remote Services: SSH
• T1570 - Lateral Tool Transfer
Command and Control:
• T1219 - Remote Access Software
• T1105 - Ingress Tool Transfer
Exfiltration:
• T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact:
• T1486 - Data Encrypted for Impact
• T1489 - Service Stop
• T1490 - Inhibit System Recovery
Download the full Threat Intel Below
Using Rclone for data exfiltration is a tactic we’re seeing more often. It’s concerning how quickly they can transfer massive amounts of data to services like MEGA. Monitoring outbound traffic should be a priority snake game.