Clearing the FOG: Unveiling the Latest Ransomware Trickery

[Music] we're going to be talking about a new Ransom group called fog ransomware but before we get started my name is Sam Mayers I'm a security researcher at Beasley security I mainly track ransomware threat actors not really a specific one just all of them CU all of them are really interesting and I'm Bobby I'm a principal re security researcher at diesle security and um I fill gaps but have a background in malare analysis so before we get started let's just talk about ransomware as a whole uh ransomware is a malicious software that either blocks access to your computer or encrypts uh data until a ransom is paid and nowadays it's really just crypto yay um a lot of different ways

ransomware thread actors get into the network a lot of it is compromised credentials there is fishing uh Brute Force tons of different ways different threat actors use different ways uh today we're going to be talking about fog so fog started at the end of May 2024 beginning of June 2024 so they only been around for a couple of months uh so far there has been 32 companies that have been publicly shamed that they have been p uh this graphic and data was from a couple days ago as in 10 that I made this right um well I lied because this morning I had to update it uh because now there's 40 um victims unfortunately mainly targeting the US uh

about 70% publicly known right uh mainly targeting also education sector which really sucks uh a lot of it is uh under like elementary middle school but also we have Secondary College and universities other Industries are hit as well Finance um manufacturing Food Service food production things like that as well as victims in other countries like Canada Australia Netherlands and other ones so I'm going to quickly go over the kill chain right now uh of one of the examples of our our our IR team had to deal with um it's not the same for every case not the same for every fog attack but it's similar mainly the same ttps we're seeing so we have a threat actor

he uses compromise VPN credentials they get that by either brute forcing it or buying it from an info stealer so info Stealers are still a really big deal and we need to handle that that's a whole different talk but let's deal with that later um then the thread actor used pass a hash against administrator accounts which subsid gives established RDP access into the Windows Server RDP is Windows desktop uh protocol which is a protocol that allows control of other computers from remotely and then they use SMB SMB is server message block which is a message format used for sharing files and directories uh in a Windows environment uh they use RDP s SMP and PS exec and attemp for internal

spread of the network after that they disable Windows Defender so Defender doesn't catch anything they're about to do they download the ransomware and they deploy the ransomware they deploy it using a Power Cell script uh in a

hyperviscous files they also delete backup Vim storage they encrypt um I'm sorry which also delete um volume uh storage and encrypt both local and shared network resources okay and then I'm going to speak a little bit about the analysis of the locker file itself so within the text of ransomware a locker file is um that's the executable that the thread actors will drop onto your machine or your network once they get there and when they execute that that's what actually does the ransoming it will encrypt all your files it drops the ransom note um and then uh you know does all that stuff uh so really important to understand these um as we had mentioned fog is not a very um noisy

group um the big boys like lock bit and Akira and Ransom Hub those guys have what they'll have waves where they'll drop they'll own like 30 or 30 different companies in a weekend um fog is very quiet um we we're not really sure why we're still kind of tracking them but they only like they'll have a wave of like seven um companies that they compromise so they're hard to track because there's just not a lot of information and not a lot of samples around May um arctic wolf released a really good article about their analysis of fog and it's pretty comprehensive um they mentioned a couple samples and gave a couple of hashes but unfortunately for

us only one of them was available but but we'll take what we can get so we grabbed that sample we took a look at it um the first thing we noticed is that first off AV companies way back in May a few of them were already labeling these samples as fog so some researchers out there already knew what fog looked like and they were um tagging it it's good for us because you can search in virus total on that tag and so we found um we did that search and we pulled up seven more samples hooray um I know this graph looks a little strange basically what I'm showing you here is that from May to

November spoiler alert we were able to find 20 samples we believe that that's the entirety of the public um sample set for fog and I'm basically going to walk you through our long walk to get to from Seven samples to the 20 okay so with the seven samples we needed to study them and understand how we could possibly detect them and search for them the first thing we noticed is that um arctic wolf uh in their blog post they mentioned that uh fog will helpfully drop a debug file that has debug log statements in it which is super weird right but it's for the operators and what will happen is um their Affiliates who are using their uh

their ransomware you know sometimes it doesn't work right and that log files to help them debug what's going on it's helpful for us too though because it happens that in fog they don't hide any of their strings they don't encrypt any of the log stuff and you can just search on them so we started with that the other thing that we noticed is that um so on the right side is a snippet of code from fog um I know you probably can't read it that's okay all you got to know is that on the right side there this is a decision tree um when it gets to the middle if uh it turns out that if

fog if you ran it but didn't give it any um any parameters it will just exit out but if you pass it parameters it starts doing evil stuff you'll see it if you can maybe squint your eyes you can see at the bottom there it will start closing services and killing processes and doing very mean things right um but what that told us was that on any given fog sample even if it doesn't run right it will still drop the log file so that is a good behavior to do threat hunts and searches off of so we did that now with the combination of the static search and the behavior search we created signatures and searches off

those in virus total and we're able to pull about 19 samples so we're getting better okay um I want to dive into one of the samples that that turned up here that was actually kind of interesting so there's a zip file that got turned up when we did this search um this ZIP file had the fog ransomware embedded inside of it but it was next to a bunch of really weird looking things there's like a bunch of applications here um you'll see caon code sector ierus these are applications that do file transfer and backup facilities and that's very common with thread actors that are deploying ransomware they want to steal all of your data before they Ransom it because

they're going to double r they're going to double extort you they'll do the ransom but then they'll also have all your data and tell us you got to pay us this Ransom too or else we're going to leak all your data on on a leak site so that's this is likely like what that stuff was also there's an n user. file um I'm not a pen tester but I took a class once and I think the ntuser.dat file it has Recon information in it um it has like user information that you can enumerate when you're attacking the system and then the locker was right in there right the other thing that was interesting was that they on this

specific system that this ZIP file was created for they had installed an advanced ip scanner and that caught my attention because within the Arctic Wolf report they said that one of the utilities that they use is called Advanced host scanner this thing is named the same and when I looked at the at the websites they looked similar so I think this is I'm pretty sure this was um a fog threat actor case and what this started to look like this is basically the digital equivalent of a crime scene right um usually what happens is if ransomware is deployed when the instant Response Team comes in they'll package up the stuff they need to study and lift

it off site and then they'll study it there and what we think happened was this person this organization uploaded that package to virus total just to check it or what whatever and probably the most interesting thing we found is that virus total had reported that this thing was uploaded from Brazil on 729 what makes that interesting is that we've been tracking fog cases and there's no mention of of Brazilian one so the this company either paid the ransom or is a non-publicly known case and also the zip file when it was uploaded it matched the name of a software services company in Brazil so super interesting finding right okay let's get back to the seven samples all

right so we needed to find something that sort of ties all those samples together um my colleague Sam showed me this really cool feature uh where there's a um you can ask virus total hey show me um here's seven samples show me the similarities in all these samples and virus total will say oh like here's this bite pattern that happens to be in four of the samples or here's a bite pattern that shows up in five of the samples well this search showed us nine bite patterns that show up in all seven of the samp that we were studying which is super cool and I'm sorry besides I'm not going to draw 120 arrows and circles

in there for you but you know what like you can imagine what it was supposed to look like right so those nine samples let's um when we studied them some of those bite patterns are weren't related to anything they were like strings or data structures within the file but four of them every time I saw them in any sample they were very close together and they were in again all seven samples so the first thing that tells me is this is a very interesting and important piece of code within fog so we made a signature out of it and we started to study it now to know what it was doing we had to dive in and then like slowly

work our way back out so what it is is in any given fog sample there's a section of code that again looks like this I showed this graph earlier um what What's Happening Here is the program starts it unpacks its internal configuration it reads it and then it starts doing horrible things killing Services killing processes and all that that's where those two log files are um that unpack part that unpacks the encrypted internal configuration it looks not too bad like this but there is one section in there that looks like this and that's where those four shared code patterns are and so this thing those four shared pieces of code that are present in every fog sample it's

related to the unpacking of its internal configuration that's an important piece of code because that internal configuration tells fog it's got its internal um the RSA key it uses to encrypt your stuff um it tells it like you know where it needs to go search on your on your files um to or on your system to look for stuff to encrypt so important piece of code so we made a signature out of it and ran it um and to our Delight it fires on all the executable samples so it's a good signature and it doesn't fire on any um anything else so it's a safe signature it doesn't create false positives so this code these four shared code bits

are essentially a fingerprint for fog you can use this to like flag whether or not a sample is actually fog and then one really interesting thing happened so we had these 19 samples that we found from previous searches this fingerprint signature found one more sample it's called unlocker and if anyone's worked with ransomware before typically what happens is after you've been ransomed the ransomware gang will tell you pay us this Ransom and we'll give your stuff back if you pay it often what will happen is they'll send you an unlocker file that has your key embedded in it that will release your stuff for you and this thing caught the fog unlocker um the reason that we did we couldn't see

it before with other searches it has the same debug log structure in it but it has fewer log strings we had previously used a threshold of 60 and this thing has less than that that's why it flew under those um the radar for that signature and then for behavior-wise it drops its debug log logger like the other sample but it appends unlocker to it which is why we didn't see it previously but our fingerprint signature worked fine the other really cool thing is that the unlocker no AV companies as of yet are flagging it as fog so this is something that we found unique um in the unlocker so we're very happy with that um yeah the fingerprint works

and um so what's fun about the fingerprint you know Sam had showed you things that we found that are it's still it's still firing off we're still finding things like this week earlier this week the fingerprint caught a few more unlocker samples this one is specifically uploaded from Ireland and we haven't seen any public reports of a of a compromised victim from Ireland so it it's helping us track activities for fog so we're going to talk about some ttps and ioc's everyone's favorite part um I'm not going to bore you guys I'll go run through this fairly quickly um so initial access they use VPN credentials like I talked about before uh they either info stealer or brute force it

they get a window shell for the RDP and SMB which we talked about earlier and go over in a minute um persistance they create a local administrator account help excavate their privilege uh they delete files they uh disable Windows Defender all the standard things with ransomware but specifically they use something called H uh pass the hash um pass the hash is stolen passwords hashes that will help them move laterally later and they won't have access to uh they don't need the clear text password they just use that hash and enumerate it and so that's one of the ways they um use uh for credential access they brute force and password stuffing as well as they

steal uh passwords and password managers in conation with the pass the hash uh they use port scanners and network scanners they use RDP and SMB and other lateral tools um and then like every other ransomware they stop Services they inhibit system recovery and they encrypt the data so a lot of tools that fog use are open- Source tooling uh or or just native tooling uh so they use Med exploit they use uh Network scanning Port scanning which you could just look up the names they are free you just hit the download button and it downloads uh and then they also use an open- Source script called uh Vim get creds which helps them seal the credentials um from

password managers uh so I just added a screenshot of one of the ransom notes that they did at the beginning of their activities their Ransom notes was called helpyou files. HTML uh which was really interesting because most Ransom notes are not HTML most of them are txt uh but now they're back to most Ransom groups and they help uh their named theirs readme.txt um and then on the right they pretty much hey we're fog um we take responsibility go to download tour go to this link enter this code I'm not giving you anyone the code uh and then you could chat with us for our own little chat room and then let's negotiate slay us the money pretty much um and then for

encryption file extensions like I said before at the beginning they Ed do flock uh but that was a little bit weird to track because that wasn't the name or anything similar but now they're using do fog um and then this is a photo of their name and shame Us site so they have run two tour sites one is their chat room site and one is their tour uh name and shame site which is pretty much any victim that does not pay the ransom they get pretty much put on here and you could just download their data um so it's really funny because they can't spell its right uh and that's been for a very long time and I kind of want to

message and let them know but I think it's funnier that it stays that way um but yeah so just some closing thoughts um why should any of you guys care um ransom's hitting every industry maybe not fog specifically is hitting your industry but Ransom groups are hitting every industry everywhere from technology companies to education to Food Service to everything right and if we're not educating and talking about it it's going to keep happening uh and the biggest thing we need to do is stop paying the ransoms this is feeding them right once we pay them it is pretty much giving them more money to operate they operate as a company they get employees they buy servers they buy all this stuff

and we give them money they're able to increase their strength and keep on going so if we stop paying them first they'll stop doing it because they're not making money and second they'll stop doing it because they can't afford to keep doing it that's just something we need to do as a whole um and then also there's just a lot more things to for us to investigate um we haven't done full analysis coverage of the fog sample itself so there's probably a lot of other cool things in there and we also have um a Linux sample for fog too which we haven't covered here um but you know they use that to uh Ransom your esxi

servers which is super scary if it happens to your org um but yeah we we're a fairly new research organization and so when when our when the IR team that we support came to us and said have you guys heard of fog and we were like no we had to like quickly put pull together and figure out how to track and um study these guys and so this was the process that we kind of built out we're excited to apply this process to the big boys right we want to study the like law lock bit this way or Aira or whatever and the other thing we've noticed too is that in the past month or so there's a bunch of

really new ransomware groups popping up um there's names that we see there was a name that I saw like uh three days ago that I had never seen before so there's always new Ransom groups so having a process in place to really quickly have um get your arms around who these guys are um I think is very valuable and if you want to study ransomware come chat with us we're easy to talk to so and then lastly um unfortunately our blog post was not able to come out today uh but it will be up next week so if you go scan this QR code or if you don't like QR codes you can go to that link uh

that is our GitHub page and we have posted all of the yard rules that we use as well of all of the ioc's that we have found and gathered on our GitHub and then we'll link our blog post which goes way in more into depth as well as a lot more other fun things um as well and then also our contact UM does anyone have any questions to my knowled like we have not um the big thing that we try to stress to both our customers and as a whole is don't pay the ransom uh there's no guarantee that if you pay the ransom they're going to give you the locker they're not going to post it they're not going to double

extort they're not going to do anything right you're just pretty much giving them money they already got you it doesn't matter they could double extort you so the idea is to just not let them just don't pay and I think that's just a systematic thing we need to change but overall um I think too we've been discussing this within our team but the other thing that we think um is contributing to the rise of like smaller ransomware groups um the the government the US government actually sanctions US Government um ransomware groups by name so like lock bit is on the sanction group and so it creat creates this really bizarre situation where if you get ransomed by

lock by lock bit it's actually against the law for you to pay the ransom like you will get busted by the FBI for paying it out to get your stuff back and that hurts well it hurts the customer the clients obviously but it also hurts the ransomware groups because then they can't get ransoms from us companies but those sanctions are built off of just the name alone so the way to get around that is you make a new name for yourself and so we're thinking that's that might be one of the reasons why there's this explosion of new ransomware groups but it's not verified it's just something that we've been looking um so the one similarity and we

go over this in our blog post is they're very similar to Aira it seems like it's going to it's an offshoot of Aira they have a lot of similar ttps a lot of similar tooling a lot of things similar but they do do a couple things different I mean the fundamentals of ransomware they're all fairly the same they get in they encrypt your stuff and they demand money um but it those Lin things are what separates them um but yeah um so the Linux samples that we've seen we actually had a case where the Linux sample was what was used and they're using it to attack esxi servers because there's a there's a lot of cases now

where on premises companies will be having a bunch of their servers just run from esxi and so if you if you if you Ransom it at that level you get all of the VMS that we're running there that's what that sample is for and we're still sort of studying through that sample and we'll we'll update our blog as we understand it more for Beasley security our parent company is an insurance company that pays out um cyber insurance and they have all of that structure in place so that if a c if something does happen to a customer they have a huge Rolodex of contact books to help that help their specific clients um do that

we don't have to worry too much about that we're the research guys we just bear ourselves in binaries and and threat intelligence so well and most of like unfortunately so we support an IR team and a lot of the a disturbing amount of the IR cases that lead to ransomware they're from stolen passwords like um you know you go to those B you go to like breached or you go to all those leak sites and you buy a password and then suddenly you're in Snowflake I don't know if you guys remember the snowflake breach from earlier this year that was a bought password they got in there from a password they bought on some site for like $100 and then caused

a million doll millions of dollars in damage so [Music]

[Music]