In early August 2024, cybercriminals launched a ransomware attack on a mid-sized financial firm using compromised VPN credentials, deploying the “Fog” ransomware variant on both Windows and Linux endpoints. However, Adlumin’s cutting-edge technology successfully stopped the attack by employing decoy files as sensors to detect ransomware activity.
Fog is a variant of the STOP/DJVU ransomware family, first identified in 2021, known for exploiting VPN vulnerabilities to infiltrate networks, primarily targeting education and recreation sectors. Once inside, it employs advanced tactics like pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files, and delete backups, forcing victims to consider paying a ransom. Encrypted files are marked with extensions such as ‘.FOG’ or ‘.FLOCKED,’ accompanied by a ransom note directing victims to a Tor-based negotiation platform.
Network Discovery and Lateral Movement: Attackers initiated network discovery using pings and advanced port scanning tools, mapping drives with compromised service accounts. The infiltration was traced back to an IP address in Russia, with lateral movement facilitated through domain trust relationships and credential harvesting using the ‘esentutl.exe’ utility.
Execution and Ransomware Propagation: The attackers used ‘Rclone’ to exfiltrate data and deployed ‘locker.exe’ to encrypt files, placing ranso
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: