Fog Ransomware – Technical Analysis

SUMMARY :

A new ransomware called Fog has been identified, affecting education and recreation centers in the United States. The threat actors gain access through compromised VPN credentials, disable Windows Defender, and deploy the ransomware. Fog is a 32-bit EXE file compiled using Microsoft Visual C/C++. It uses debug messages, dynamically loads APIs, and decrypts its configuration from JSON format. The ransomware operates as a multi-threading application, encrypting files and dropping ransom notes in each directory. It utilizes Windows CryptoAPI for cryptographic operations, stops specific services, terminates blacklisted processes, and removes backups. Fog also employs various MITRE ATT&CK techniques for execution, discovery, defense evasion, and impact.

OPENCTI LABELS :

vpn,ransomware,windows,encryption,cryptography,fog ransomware,file-encryption,multi-threading,process-termination,service-stopping


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Fog Ransomware – Technical Analysis