Clearing the Mist: Unveiling Fog Ransomware

Abstract

In the rapidly evolving cybersecurity landscape, ransomware attacks have become an increasingly prevalent and sophisticated threat. One of the latest adversaries to emerge from the shadows is theFog Ransomware Group. This malicious entity has been making headlines for its ability to infiltrate high-tech firms and disrupt operations. This blog post aims to provide a comprehensive analysis of the Fog Ransomware Group, dissecting its malware and TTPs (Tactics, Techniques, and Procedures)and offering insights for security companies and high-tech employees on how to defend against these attacks.

‍

Code Blue - Cyber Crisis Preparedness and Management

• Protect your company’s reputation
• Mitigate regulatory challenges and ensure business continuity
• Shorten the duration of a cyber crisis and bounce back faster
• Reach out to us: info@codebluecyber.com | +972-23761215

IONSEC - Research and Incident Response

IONSEC leads the charge in cybersecurity. Our team, composed of top-tier security researchers, specializes inIncident Response, Security Assessment, and pioneering Research. We excel in securing your digital assets by staying ahead of cyber threats with proactive strategies and continuous research. IONSEC is your trusted partner, ensuring the highest standards of cybersecurity excellence.

• Reach out to us: info@ionsec.io | +972-543181773

Who is the Fog Ransomware Group?

In early June 2024, IONSEC and Code Blue research teams launched an investigation into the increasing prevalence of Fog ransomware attacks targeting educational institutions. This month, our team addressed an incident involving a major enterprise that resulted in significant damage, broadening potential victims' scope. It is crucial to refer to Fog as a ransomware variant rather than a collective group; this distinction clarifies the differences between those who develop the encryptor software and the hackers executing the attacks. Such differentiation is essential, as ransomware groups often seem unified despite comprising independent affiliate groups. The precise structure of the group—or groups—behind the Fog ransomware remains unidentified at this time.

Fog ⁱ, which appends the .flocked extension to encrypted files, was first detected in May during campaigns executed by Storm-0844, a threat actor recognized for distributing Akira. By June, Storm- 0844 shifted its focus, deploying Fog more frequently than Akira.

Threat Actor Onion URLs:

• FOG Main Website (Victim Portal via Code) http://xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid[.]onion
• Blog (Victim Publication) http://xbkv2qey6u3gd3qxcojynrt4h5sgrhkar6whuo74wo63hijnn677jnyd[.]onion

A group known as FOG was noted to exist in 2021 ⁱⁱ; however, no concrete connections between this group and other entities have been established to date.

Victims:

There are at least 15 confirmed victims associated with the attackers, and evidence suggests that some clients may have paid the ransom, as indicated by the removal of "Geelong Lutheran College" from their website.

Additionally, several other organizations have also been omitted from the website:

• Verweij Elektrotechniek
• Alvin Independent School District

New Form of Persistence

Our team has observed that FOG utilizes highly obfuscated scheduled tasks to maintain access to compromised networks. While the mechanization of scheduled tasks is not a novel concept, this particular approach has successfully evaded detection by even the most advanced EDR pl

The task essentially comprises a PowerShell script that appears to perform the following key operations:

1. Encryption/Decryption of Data:

• The script includes functions for converting data to and from Base64 (ConvertTo-Base64 and ConvertFrom-Base64).
• The Decrypt-Data function reverses this process by extracting the IV from the encrypted data and decrypting the remaining data using the specified key.
• The Encrypt-Data function employs the AES algorithm in CBC mode with PKCS7 padding to encrypt data, generating an IV (Initialization Vector) for each encryption, which is prepended to the encrypted data. The outcome is then encoded as a Base64 string.

2. Interacting with Windows Task Scheduler:

• The script connects to the Task Scheduler via the COM object Schedule.Service.
• It retrieves a cheduled task named "[redacted]" from the root folder ($taskPath = "\").
• The script extracts the task's description—encrypted—decrypts it, executes the decrypted content using iex (which runs the decrypted string as a PowerShell command), captures the output, and subsequently encrypts it.

3. Modifying the Task's Description:

• The script replaces the task's description with the encrypted result of the command execution, effectively storing the command output within the task's metadata.

Analysis and Potential Concerns:

1. Encryption Key:

• The encryption key [redacted] is a Base64-encoded string that decodes to a 16-byte (128-bit) key, which is pivotal to the encryption and decryption processes.

2. Execution of Decrypted Code:

• A significant concern regarding this script is its ability to decrypt and execute a command embedded in the description of a scheduled task. This poses a risk, as it suggests that an attacker could embed malicious code within the task's description, which would subsequently be decrypted and executed by this script.

3. Persistence Mechanism:

• This script forms part of a persistence mechanism, concealing the actual payload within the Task Scheduler's metadata, thereby evading detection by storing encrypted data that is executed only when this script runs.

4. Malicious Potential:

• If employed maliciously, this script could enable an attacker to execute arbitrary commands on the system without leaving apparent traces in conventional script files. The use of encryption further complicates detection and analysis.

Dissecting the Ransomware

Understanding the Core Components

Fog Ransomware functions through three primary components to execute its malicious activities. The initial phase involves creating a mutex to prevent double infections that could impede execution, as well as deleting shadow backups. The second phase focuses on decrypting the configuration file, which is embedded within the binary. Lastly, the third phase carries out the encryption process itself.

Phase 1 - Mutex Creation & Shadow Backup Deletion

The malware creates a mutex during runtime to prevent double infection of the system, thereby ensuring the proper execution of its functions. Additionally, in this phase, the malware deletes the shadow backups of the infected station to eliminate the possibility of restoring from local backups.

Phase 2 - Configuration File Decryption

In the second phase, Fog Ransomware decrypts the configuration file located within the binary. This file contains instructions and parameters essential for the encryption process. The configuration file consists the following list -

• List of processes to terminate
• List of services to terminate
• File extensions to encrypt
• Path list

Phase 3 - Encryption Process

During the encryption phase, the malware scans the paths specified in the configuration file. Each file with an extension included in the designated list is encrypted. The malware employs the AES algorithm for fast encryption and subsequently uses the RSA algorithm to encrypt the AES key. This dual technique is commonly utilized by many ransomware variants, as the efficiency of AES combined with the RSA encryption of its key makes it nearly impossible to recover the files without paying the ransom.

Defending Against Fog Ransomware

Regular Software Updates and Patch Management

Keeping software up to date is one of the simplest yet most effective ways to protect against ransomware. Regularly applying patches to operating systems and applications can close vulnerabilities that ransomware exploits.

Implementing Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to provide two or more verification factors. This makes it significantly harder for attackers to gain access, even if they have stolen login credentials.

Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments. This limits the spread of ransomware by containing it within a single segment, preventing it from infecting the entire network.

Regular Backups and Data Recovery Plans

Regularly backing up data and having a well-tested data recovery plan can help organizations quickly recover from ransomware attacks without paying the ransom. Backups should be stored offline and in multiple locations to ensure their availability.

Conclusion

Ransomware remains a significant threat to organizations of all sizes. The Fog Ransomware Group exemplifies the evolving sophistication of these attacks. By understanding their malware, TTPs, and implementing robust defenses, organizations can protect themselves against this and other ransomware threats.

For security companies and high-tech employees, staying informed and proactive is crucial. Continuous education, collaboration, and investment in advanced security tools are key to defending against ransomware. Remember, the battle against ransomware is ongoing, and vigilance is the best defense.

Appendix

Indicators of Compromise (IoCs)

Hash

• Locker_out.exe - 507b26054319ff31f275ba44ddc9d2b5037bd295
• Locker_out.dll - 44a76b9546427627a8d88a650c1bed3f1cc0278c

IPs

• 5.230.33[.]176
• 77.247.126[.]200
• 107.161.50[.]26
  

Yara

rule SearchForFogRans

{

meta:

description = "Search for fog ransomware" author = "CodeBlue & IONSEC"

date = "2024-08-16"

version = "1.0"

‍

strings:

$start_encrypt = "Start encrypt file"

$mutex_check = "[=] Checking mutex..."

$vssadmin_usage = "vssadmin.exe delete shadows"

‍

condition: all of them

}

References

https://ransomware.live/#/group/fog

https://www.beforecrypt.com/en/fog-ransomware