Arctic Wolf’s incident response team has identified a new ransomware variant, referred to as Fog — targeting the education and recreation sectors in the US — presumably for easy infection and quicker payday.
Called a ransomware “variant” specifically to distinguish from a “group” or a “gang,” which generally comprises many affiliate parties, the new encryptor software appears to be using compromised VPN credentials to infect and encrypt victim systems.
“On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant,” said an Arctic Wolf report. “All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector.”
The gang or gangs behind the deployment of the variant are still unknown.
Infection through remote access
According to observations, threat actors used compromised VPN credentials to initiate remote access, specifically through two separate VPN gateway vendors Arctic Wolf refrained from identifying, to gain initial entry into victim systems.
Once there, the threat actors run the initialization routine which includes querying system files, volumes, and network resources. Additionally, the actor queries details about the processors used within the system.
“The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available,” Arctic Wolf said. “This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.”
Once critical system information is obtained, encryption is attempted. “Using the system information discovered earlier, the sample configures a thread pool dedicated to encrypting all the discovered files,” the report added. “This thread pool uses the logical processor information with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and the CryptEncrypt are called during the process.”
After the encryption is completed, the miscreants leave a ransom note, written to one of the configuration files on the disk, with a usual ‘readme.txt’ name.
The techniques used are amateurish
Observations made by the research team indicate a shared functional code block between various instances of the ransomware payloads, suggesting the involvement of a single threat actor.
The threat actor involved seemed to be looking for a quick payday, forgoing a deeper infection for hefty ransoms. “The threat actors in the cases described here show an interest in rapid encryption of VM storage data and ransom payment for decryption of that data,” the report added. “Diverging from common practice in most ransomware intrusions, the threat actors were not observed to exfiltrate data from hosts being encrypted.”
As its team is privy to the attack techniques, Arctic Wolf has provided a list of indicators of compromise (IoC) for detecting and minimizing the attack radius. Additionally, the security vendor has incorporated targeted detection capabilities within its managed detection and response (MDR) offering which includes detecting three suspicious strings within the PowerShell script block, a Microsoft command-line shell for system administration.