Attacks leveraging breached VPN credentials have been deployed by the new Fog ransomware operation against organizations in the U.S. education sector since early last month, BleepingComputer reports.
After remotely infiltrating organizations' networks via credentials stolen from a pair of VPN gateway vendors, the threat actors proceeded with pass-the-hash intrusions against admin accounts and credential-stuffing attacks before distributing PsExec, a report from Arctic Wolf Labs revealed.
Malicious activity prior to ransomware encryptor execution is facilitated by Windows Defender deactivation, with the ransomware exfiltrating system information via Windows API calls and ending certain services and processes before commencing file encryption activities and delivering a ransom note, according to researchers.
More information is still needed to determine the specific nature of the Fog ransomware gang but an examination of the group's ransom note revealed that it had sought payment of hundreds of thousands of dollars in exchange for a decryptor and data deletion.