Fog Ransomware – Technical Analysis

Oct. 21, 2024, 11:24 a.m.

Description

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. It uses debug messages, dynamically loads APIs, and decrypts its configuration from JSON format. The ransomware operates as a multi-threading application, encrypting files and dropping ransom notes in each directory. It utilizes Windows CryptoAPI for cryptographic operations, stops specific services, terminates blacklisted processes, and removes backups. Fog also employs various MITRE ATT&CK techniques for execution, discovery, defense evasion, and impact.

External References

https://darkatlas.io/blog/fog-ransomware-technical-analysis
https://otx.alienvault.com/pulse/671634b51a3f8ca16750edad
Tags
ransomware
windows
encryption
vpn
cryptography
2024-10-21
fog ransomware
file-encryption
multi-threading
process-termination
service-stopping

Date

  • Created: Oct. 21, 2024, 11:02 a.m.
  • Published: Oct. 21, 2024, 11:02 a.m.
  • Modified: Oct. 21, 2024, 11:24 a.m.

Indicators

  • e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3
Download all indicators here!

Attack Patterns

  • Fog Ransomware
  • Fog Ransomware
  • T1135
  • T1490
  • T1059.003
  • T1562.001
  • T1489
  • T1486
  • T1083
  • T1059

Additional Informations

  • Education
  • United States of America