"New Fog Ransomware Targets US Education Sector Via Breached VPNs"

According to security researchers at Artic Wolf Labs, a new ransomware operation named "Fog," launched in early May 2024, is using compromised VPN credentials to breach the networks of educational organizations in the U.S.  The ransomware operation has not yet set up an extortion portal, and data has not been observed being stolen.  During attacks, the researchers noted that Fog's operators accessed victim environments using compromised VPN credentials from at least two different VPN gateway vendors.  Once they gain access to the internal network, the attackers perform "pass-the-hash" attacks on administrator accounts, which are used to establish RDP connections to Windows servers running Hyper-V.  The researchers noted that on Windows servers, Fog operators disable Windows Defender to prevent notifications alerting the victim before executing the encrypter.  When the ransomware is deployed, it performs Windows API calls to gather information about the system, such as the number of available logical processors to allocate threads for a multi-threaded encryption routine.  The researchers said that before starting the encryption, the ransomware terminates a list of processes and services based on a hardcoded list in its configuration.  The ransomware encrypts VMDK files in Virtual Machine (VM) storage and deletes backups from object storage in Veeam and Windows volume shadow copies to prevent easy restoration.

BleepingComputer reports: "New Fog Ransomware Targets US Education Sector Via Breached VPNs"