Fog Ransomware – Technical Analysis
Oct. 21, 2024, 11:24 a.m.
Tags
External References
Description
A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. It uses debug messages, dynamically loads APIs, and decrypts its configuration from JSON format. The ransomware operates as a multi-threading application, encrypting files and dropping ransom notes in each directory. It utilizes Windows CryptoAPI for cryptographic operations, stops specific services, terminates blacklisted processes, and removes backups. Fog also employs various MITRE ATT&CK techniques for execution, discovery, defense evasion, and impact.
Date
Published: Oct. 21, 2024, 11:02 a.m.
Created: Oct. 21, 2024, 11:02 a.m.
Modified: Oct. 21, 2024, 11:24 a.m.
Indicators
e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3
Attack Patterns
Fog Ransomware
Fog Ransomware
T1135
T1490
T1059.003
T1562.001
T1489
T1486
T1083
T1059
Additional Informations
Education
United States of America