Understanding Fog Ransomware: A Growing Threat

What is Fog ransomware?

Fog Ransomware is a new ransomware variant first detected in May 2024. This emerging ransomware threat uses compromised virtual private network (VPN) credentials or system vulnerabilities to gain access to an organization’s network and rapidly encrypt data in an attempt to earn quick payouts.

Fog attacks mirror traditional ransomware attacks in that they follow the standard attack path of enumeration, lateral movement, encryption and extortion. However, unlike most ransomware attacks, early Fog incidents did not exfiltrate data, indicating that the attackers were likely interested in a quick payday, as opposed to a more complex operation.

The earliest Fog attacks also had a relatively narrow scope, with attackers targeting organizations in the education and recreation sectors in the United States. Analysis suggests that these sectors were chosen because of their relatively weak security measures or small security staff, which would make it easier for the actors to go undetected.

In recent months, the Fog variant has evolved. Attackers are now leveraging more sophisticated techniques to escalate privileges and disable security measures. Most notably, more recent attacks have been shown to exfiltrate data, enabling the attackers to leverage “double extortion” techniques, wherein the attackers demand a ransom to be paid to decrypt the data as well as a secondary payment to not release exfiltrated data publicly.

There is also some evidence that new variants of Fog are targeting more lucrative victims, such as organizations in the financial services industry. However, this has not been confirmed. For now, it appears that attackers are more likely to be choosing victims opportunistically, which raises the risk profile for all sectors.

Fog’s evolution and shifting targets underscore the critical need for organizations to strengthen cybersecurity defenses and address known vulnerabilities to mitigate this growing threat and protect against future ransomware evolutions.

Fog ransomware’s key characteristics

Fog ransomware stands out from other ransomware variants due to two distinct characteristics:

1. Advanced encryption techniques

Fog ransomware employs a combination of advanced encryption techniques to lock victims out of their data. Some reports indicate that attackers are leveraging both symmetric encryption algorithms, like Advanced Encryption Standard (AES), to quickly and efficiently encrypt data, as well as asymmetric algorithms, like RSA (Rivest-Shamir-Adleman) to strengthen the encryption. This combination makes it virtually impossible for organizations to decrypt their data without the key or identifying a flaw in the execution.

2. Sophisticated evasion techniques

Fog ransomware also employs advanced evasion tactics to bypass traditional security tools and detection mechanisms. These include but are not limited to:

• Fileless execution: Fog attacks deploy malicious code directly in memory. This allows attackers to avoid leaving traces of their presence on the disk, making it difficult for traditional security tools to detect the attack during routine scans.  
• Code obfuscation: Fog malware employs code obfuscation techniques to disguise its purpose and activity. This makes it more difficult for signature-based detection systems to recognize its presence.
• Disabling security tools: In past attacks against Windows machines, Fog actors have disabled Windows Defender and other security systems to avoid detection before deploying the ransomware.
• Use of legitimate processes: Fog ransomware frequently leverages legitimate system tools, such as PowerShell or Windows Management Instrumentation (WMI), allowing attackers to masquerade as legitimate users. Since many traditional security tools are not equipped to differentiate between real and malicious users, it can be challenging to detect the presence of a Fog attacker with standard security tools. 

Who are the primary targets of Fog attacks?

Initial Fog ransomware attacks focused on organizations within the United States. Approximately three-quarters of the victims were in the education sector while the remainder were in the recreation sector.

These industries may have been chosen because organizations in these areas tend to have underfunded security operations or understaffed IT teams, which makes them more vulnerable to an attack. Further, the seasonal nature of their operations may have made these organizations more appealing as targets. For example, during the summer months, schools and recreation facilities may either be overwhelmed with activity or operating at reduced capacity, making it easier for attackers to work undetected.

As Fog ransomware continues to evolve, its targeting strategies are broadening. While early attacks were concentrated in specific sectors, the threat actors now appear to be operating opportunistically, with no single industry emerging as the primary target. This shift underscores the importance of organizations across all sectors strengthening their cybersecurity defenses to protect against the expanding and evolving tactics of Fog ransomware.

Impact of Fog ransomware on industries

As one of the most profitable ventures a cybercriminal can undertake, ransomware is a particularly consequential threat for organizations across industries. 

The impact of Fog ransomware is consistent with other ransomware attacks. Organizations that are targeted face a variety of potential primary and secondary issues including:

• Disruption of day-to-day operations due to encryption of critical or sensitive data
• Financial implications, particularly as it relates to paying the ransom demands to regain access to encrypted systems and data
• Loss of revenue due to operational downtime during an attack
• Increased regulatory scrutiny or potential fines if negligence in cybersecurity practices is found
• Erosion of customer trust, which can carry long-term consequences on brand loyalty and corporate reputation

How Fog ransomware operates

Fog ransomware follows a multi-stage infection lifecycle. Understanding each stage—from initial compromise to the final encryption of files—can help organizations better detect, respond to, and mitigate the impact of an attack.

Here we share an overview of Fog ransomware’s infection lifecycle:

Stage 1: Exploitation and intrusion

Many Fog ransomware attacks exploit a vulnerability, such as an unpatched software application, to gain access to the system. To date, most Fog attacks appear to target specific weaknesses in VPN applications.  

Attackers may also leverage a weak VPN credential to gain system access. This information can be obtained through credential theft or purchase from Initial Access Brokers. Use of legitimate user credentials allow attackers to bypass network defenses and gain entry into targeted environments.

Stage 2: Lateral movement

Once the Fog attacker has successfully gained initial access into the network, they often leverage pass-the-hash and/or credential stuffing techniques to attempt to expand access, escalate privileges, and access administrator accounts.

During this phase, the attackers will also likely conduct ground laying activities, such as Active Directory enumeration or using tools like BloodHound, to analyze user rights and advance the attack. This activity might include file sharing, enumeration, and extensive scanning.

At this time, the attackers may also leverage remote access tools, such as AnyDesk, to establish command-and-control communication. The use of legitimate tools makes it more difficult to detect threat actors and also expedites the attack timeline, since attackers do not need to build and implement their own infrastructure elements.

Stage 3: Deployment and encryption

Once attackers have established access, they deploy the ransomware agent. As part of this process, they will disable security measures like Windows Defender.

The ransomware application will then encrypt files and delete backups to prevent recovery. Most often the attackers target Virtual Machine Disk (VMDK) files. As part of this process, the attackers will amend the file names with .FOG or .FLOCKED extensions, which is an important indicator of attack.

During this phase, attackers may also exfiltrate the affected data. This exposes the organization to double extortion, in that they may need to pay a ransom to decrypt the data and make a subsequent payment or payments to prevent public release of that data.

Stage 4: Extortion

Immediately following Stage 3, the attackers will usually distribute “readme.txt” files across affected networks. These are ransom notes, which contain information about Fog ransomware, a summary of the encryption activity that has taken place thus far, and, in many cases, a deadline for action. The notes will also include detailed instructions about how to work with the attackers to pay the ransom and resolve the issue; communication is usually conducted through a chat support link. 

Common exploits and vulnerabilities

Public reports indicate a high correlation between Fog intrusions and SonicWall SSL VPN reported between August and November 2024.

Though a specific vulnerability has not been confirmed, experts suspect that attackers may be exploiting CVE-2024-40766. Analysis reveals that all compromised SonicWall devices involved in these attacks were running old firmware versions that did not patch this issue.

At the same time, experts cannot rule out the possibility that attackers are obtaining VPN credentials through other methods, such as via data brokers or breaches.

Preventing Fog attacks

To reduce the likelihood of a Fog ransomware attack, organizations that leverage SonicWall SSL VPN should ensure they are using the most updated version of the software, which includes a patch for CVE-2024-40766.

Detecting Fog attacks

Organizations can also take steps to strengthen detection capabilities in the event a breach occurs. For example, one financial services company was able to thwart a Fog attack by leveraging “decoy” files. This allowed the company to detect the activity early in the attack lifecycle and isolate affected machines. 

Additionally, security teams can monitor for suspicious activity within the system. For example, analysis of past attacks reveals that all malicious VPN logins originated from IP addresses associated with virtual private server (VPS) hosts. This provides a clear opportunity for early detection and isolation.

Best practices for detection and prevention 

Companies must employ a comprehensive range of measures, including advanced monitoring tools, regular patching, user training, and robust backup systems, to effectively detect and prevent ransomware attacks like Fog ransomware.

Here we offer some recommended steps for detecting Fog ransomware early in the attack chain:

Deploy proactive security measures

• Utilize advanced monitoring tools, such as endpoint protection systems, that operate continuously and leverage advanced algorithms to detect suspicious activity.
• Pay attention to specific indicators like unusual VPN logins from unexpected hosting providers and common post-compromise behaviors, such as file encryption attempts.
• Incorporate threat intelligence to stay updated on Fog ransomware threat actors’ motives, targets, and attack behaviors.

Maintain a rigorous patch management program

• Regularly patch software to address both known and emerging vulnerabilities, especially for VPNs and other high-risk systems that Fog attackers have been known to exploit.
• Stay informed on cybersecurity news to identify and swiftly respond to newly discovered exploits that are or could be leveraged during Fog attacks.

Invest in user training and foster a culture of security

• Educate employees on recognizing phishing attempts and other social engineering tactics that could compromise credentials and pave the way to an attack.
• Provide ongoing training to reinforce good security practices and awareness of ransomware threats. Ensure employees know the proper steps to take to report suspicious or unusual activity.

Implement robust data backup and recovery plans

• Perform frequent and regular backups to minimize potential data loss. For example, daily backups can limit the impact of an attack to as little as 24 hours, greatly reducing data losses.
• Store backups on multiple devices and in separate locations for redundancy.
• Test backup systems regularly to ensure data can be restored quickly and effectively in the event of an attack.

Want more best practices for how to prevent ransomware attacks? Check out our related article: How to prevent ransomware: 10 pro tips from CrowdStrike.

How CrowdStrike can help

Legacy endpoint solutions can’t keep pace with adversaries and ransomware threats. That’s where CrowdStrike’s ransomware protection comes in, helping organizations defend against Fog ransomware by leveraging the CrowdStrike AI-native Falcon platform to deliver advanced defense capabilities.

Falcon Adversary OverWatch provides 24/7 proactive, intelligence-led threat hunting to detect and stop sophisticated ransomware attacks, including those orchestrated by RaaS actors. Tailored exercises like Tabletop, Red Team/Blue Team, and Adversary Emulation further strengthen security by identifying detection and response gaps. Together, these solutions ensure comprehensive protection against evolving ransomware threats.

Want to learn more about how to protect your organization from Fog ransomware and the latest cybersecurity threats? Contact CrowdStrike to set up a free demo and consultation. In the event of a breach, CrowdStrike provides industry-leading incident response to quickly restore order.