Fog Ransomware Rolls in to Target Education, Recreation Sectors

A new group of hackers is encrypting data in virtual machines, leaving ransom notes, and calling it a day.

A new ransomware operation has been performing old-fashioned ransomware attacks, locking up data in virtual environments to earn quick payouts.
Researchers from Arctic Wolf first spotted the group they call Fog on May 2,
according to a newly released report
. Through May 23, Fog performed relatively standard-fare ransomware attacks: quickly infiltrating and encrypting data stored in virtualization environments, leaving a ransom note, but not exfiltrating anything.
Fog attacks typically begin with stolen virtual private network (VPN) credentials, an
increasingly popular means of initial access
into sizable organizations. The group has exploited two different VPN gateway vendors thus far, which Arctic Wolf has declined to name.
In one case, for example, Fog
passed the hash
to compromise administrator accounts in its targets network. It then used the accounts to establish a remote desktop protocol (RDP) connection with Windows servers running the Hyper-V hypervisor and Veeam data protection software.
Other common Fog tactics, techniques, and procedures (TTPs) include credential stuffing, using native Windows and open source tools like Metasploit and PsExec, disabling Windows Defender, and using Tor to communicate with victims.
Contrary to
recent trends
, Fog does not exfiltrate the data it encrypts. It does not operate a leak site, perform
double or triple extortion
, or anything of the sort. Considering the short duration between initial intrusion and encryption, the threat actors appear more interested in a quick payout as opposed to exacting a more complex attack, the researchers assessed.
Thus far, Fog has targeted only organizations in the US. Four of every five reported attacks have been from the education sector, with the rest spread across recreation industries.
That a relatively amateurish group would target education in particular isnt surprising, says Kerri Shafer-Page, vice president of DFIR at Arctic Wolf.
Education is often underfunded and understaffed when it comes to cyber. And when you think about summer vacations and the staffing model, they often have very small IT departments. Its a perfect opportunity for attackers, she says.
To account for some of those shortcomings, Shafer-Page says, Employees need to understand how they manage their credentials. These threat actors are looking for a way to move laterally and elevate their privileges. Once they elevate their privileges, its game over. They can get into the crown jewels.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fog Ransomware Rolls in to Target Education, Recreation Sectors