Priya PatelTLDR:
- The Fog ransomware group, previously targeting educational and recreational sectors, is now attacking employees in the financial services sector.
- Adlumin’s technology was able to prevent an attack on a mid-sized financial institution by detecting ransomware activity within the network.
The Fog ransomware, a variant of the STOP/DJVU family, has shifted its focus to the finance industry. In August 2024, threat actors used compromised VPN credentials to launch a ransomware attack on a financial institution. Adlumin’s technology, utilizing decoy files as sensors, successfully thwarted the attack.
The ransomware increases its influence within a network by using methods like pass-the-hash attacks to escalate privileges. It targets sensitive data on endpoints running Windows and Linux operating systems, encrypts important files, and deletes backup data. The encrypted files come with a ransom message directing victims to a Tor network negotiating platform.
The attackers used network discovery processes and reconnaissance tools to gain access to the network, utilizing compromised service accounts to travel laterally and gather login information saved on endpoints. The ransomware was spread using a tool called “locker.exe,” encrypting data and posting a ransom message on compromised endpoints. To prevent victims from restoring files from backups, the attackers deleted system shadow copies.
Adlumin’s Ransomware Prevention feature automatically counters attacks, isolates compromised devices, and stops data theft. Recommendations for preventing ransomware attacks include multi-factor authentication, frequent VPN software updates, monitoring VPN access, isolating impacted endpoints, backing up crucial information, implementing the principle of least privilege, and creating incident response plans.
