Fog Ransomware – Technical Analysis

Tags

External References

• https://darkatlas.io/
• https://otx.alienvault.com/

Description

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. It uses debug messages, dynamically loads APIs, and decrypts its configuration from JSON format. The ransomware operates as a multi-threading application, encrypting files and dropping ransom notes in each directory. It utilizes Windows CryptoAPI for cryptographic operations, stops specific services, terminates blacklisted processes, and removes backups. Fog also employs various MITRE ATT&CK techniques for execution, discovery, defense evasion, and impact.

Date