FOG Ransomware Remains a Major Threat to Educational Institutions in 2024

The emergence of the FOG ransomware group was identified in May 2024. Aligned with a June 2024 report by Arctic Wolf, new analysis and findings from the Kroll Cyber Threat Intelligence (CTI) Team add insights into the tactics, techniques, and procedures (TTPs) employed by FOG operators. Among these new insights, FOG operators have incorporated double extortion in their campaigns, where their initial campaigns were absent of data exfiltration, opting for the swift execution of their campaigns using only the leverage of data encryption for extortion. The expansion of their tactics also includes using their own data leak site. Despite the expansion in their tactics, consistency was found in their targeting as FOG was still observed predominantly targeting educational institutions with initial access obtained through the use of compromised VPN credentials.

Reporting of FOG's TTPs from Kroll includes observed activity after leveraging compromised VPN credentials for initial access into networks. In post-exploitation, FOG actors escalate privileges through methods such as "pass-the-hash", with credential theft through the abuse of the Active Directory domain database (NTDS.dit) or using 'esentutl' to access browser-saved passwords. FOG operators establish persistence by creating new user accounts and achieving lateral movement through PsExec, SSH, and RDP.

To evade detection, FOG operators disable Windows Defender and manipulate audit features to obscure their presence. For reconnaissance efforts, Windows API calls are made to identify system information and processes in the compromised environment, Get-ADComputer in PowerShell, along with other external third-party discovery tools including Advanced Port Scanner and SoftPerfect Network Scanner. Throughout their intrusion, FOG is reported to utilize custom PowerShell scripts. In the final stage of their breach, FOG executes its ransomware binary with a sample identified in Kroll's review as '1.exe' to encrypt files and append them. FOG or .FLOCKED extensions, and subsequently deletes backup copies using commands like vssadmin.exe delete shadows /all / quiet. For the exfiltration part of its newer tactics, data is archived using 7-zip and/or WinRAR to transfer data to external cloud storage.

Kroll's insights help provide detection strategies along with the intelligence from Arctic Wolf to aid organizations in defending against the rising threat of the FOG ransomware gang. TTPs observed in Kroll's report align with activity outlined in Arctic Wolf's report, emphasizing the need to detect highly relevant attack techniques.