TekStream Security Bulletin: A Clear Path to Detecting Fog Ransomware

By David Cheever, Team Lead, Advance Services

Introduction

Fog is a new ransomware variant that encrypts files and appends a “.fog” or “.flocked” extension to them. The attackers behind Fog have exploited compromised virtual private network (VPN) credentials to deploy their ransomware. Their primary targets are educational institutions across the United States, with 80% of victims from the education sector and the remaining 20% from the recreation sector.

The attackers appear financially motivated, focusing on quickly encrypting data without exfiltrating information. After encrypting the files, Fog leaves a ransom note in the form of a text file called “readme.txt”. This highlights the necessity of secure off-site backups and a robust, multi-layered security strategy to promptly detect and mitigate such threats. This bulletin provides a method of detecting Fog Ransomware using Splunk.

Indicators of Compromise (IoCs) of Fog Ransomware

TypeIndicator
Hashes617d79c02ebac68b613d5b7cdbf001fd
f7c8c60172f9ae4dab9f61c28ccae7084da90a06
507b26054319ff31f275ba44ddc9d2b5037bd295
e1fb7d15408988df39a80b8939972f7843f0e785
83f00af43df650fda2c5b4a04a7b31790a8ad4cf
44a76b9546427627a8d88a650c1bed3f1cc0278c
eeafa71946e81d8fe5ebf6be53e83a84dcca50ba
763499b37aacd317e7d2f512872f9ed719aacae1
3477a173e2c1005a81d042802ab0f22cc12a4d55
90be89524b72f330e49017a11e7b8a257f975e9a
e11e7db705a11f8ca250d8d6826371e550b3214757f5bb9b648c7b0fad09294b
8b9c7d2554fe315199fae656448dc193accbec162d4afff3f204ce2346507a8a
d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb
e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3
HostnamesDESKTOP-7G1IC87
Kali
VPS65CCB8B75352
PACKERP-VUDV41R
File Names*.flocked
*.fog
readme.txt
DBgLog.sys
Veeam-Get-Creds.ps1
psexesvc.exe
netscan.exe
lck.exe
locker_out.exe
fs.exe
locker_out.exe
mon.dll
advanced_port_scanner.exe
advanced_port_scanner_2.5.3869.exe
sharpshares(1).exe
IP Addresses5[.]230[.]33[.]176
77[.]247[.]126[.]200
107[.]161[.]50[.]26

Leveraging Enterprise Security’s Threat Intelligence Framework

Uploading Threat Intelligence hinges significantly on correctly formatting your CSV file. The framework requires specific header field values to be utilized, ensuring the CSV contains the necessary columns and headers for effective threat matching. Prior to uploading, ensure IP addresses are stripped of brackets added for inadvertent navigation protection.

To begin, navigate to Enterprise Security -> Configure -> Data Enrichment -> Threat Intelligence Management -> Sources. From here, select “New” to upload the below CSV file containing relevant Fog IoCs.

<Fog_Ransomware_IoCs.csv>

After uploading, navigate to Security Intelligence -> Threat Intelligence -> Threat Artifacts to view your uploaded values in the Threat Overview section. Filter for Fog_Ransomware_IoCs under Threat Group to confirm successful updates for both endpoint and network artifacts.

Matches identified through various Threat Gen searches populate the threat_activity index and tag events for the Threat Intelligence data model, which security analysts can review on the Threat Activity dashboard. Notable events are generated by the Threat Activity Detected correlation search based on matches from threat sources, which in turn adjust risk scores for relevant assets and identities. Analysts can review these notable events on the Incident Review dashboard, alongside the updated risk scores displayed on the Risk Analysis dashboard.

Detecting Fog with Data Models

If you do not have Enterprise Security, you can still generate searches to detect these IoCs using standard data models, which are beneficial since they normalize fields across different data sources. Various data models may exhibit these IoCs; below are two excellent starting points:

Network Traffic DM -The Network Traffic data model monitors flows of data across network infrastructure components.

| tstats `summariesonly` latest(_time) as _time, values(All_Traffic.user) as user, sum("All_Traffic.bytes") as bytes, values("All_Traffic.src_port") as src_port, values("All_Traffic.transport") as transport, values("All_Traffic.dest_port") as dest_port from datamodel="Network_Traffic"."All_Traffic" where All_Traffic.src IN ("5[.]230[.]33[.]176","77[.]247[.]126[.]200","107[.]161[.]50[.]26") OR All_Traffic.src_ip IN ("5[.]230[.]33[.]176","77[.]247[.]126[.]200","107[.]161[.]50[.]26") OR All_Traffic.dest IN ("5[.]230[.]33[.]176","77[.]247[.]126[.]200","107[.]161[.]50[.]26") OR All_Traffic.dest_ip IN ("5[.]230[.]33[.]176","77[.]247[.]126[.]200","107[.]161[.]50[.]26") ```remember to remove brackets between octets``` by All_Traffic.action All_Traffic.src_ip All_Traffic.dest_ip
| `drop_dm_object_name("All_Traffic")`

Endpoint DM -The Endpoint data model monitors endpoint clients, such as end user machines, laptops, and BYOD devices.

| tstats `summariesonly` latest(_time) as _time, latest(Filesystem.file_create_time) as file_create_time, latest(Filesystem.file_modify_time) as file_modify_time, latest(Filesystem.file_access_time) as file_access_time, values(Filesystem.action) as action, values(Filesystem.file_name) as file_name, values(Filesystem.file_hash) as file_hash, values(Filesystem.file_path) as file_path, values(Filesystem.file_size) as file_size from datamodel="Endpoint"."Filesystem" where Filesystem.file_name IN ("readme.txt","DBgLog.sys","Veeam-Get-Creds.ps1","psexesvc.exe","netscan.exe","lck.exe","locker_out.exe","fs.exe","mon.dll","advanced_port_scanner.exe","advanced_port_scanner_2.5.3869.exe","sharpshares(1).exe","*.flocked","*.fog") OR Filesystem.file_hash IN ("f7c8c60172f9ae4dab9f61c28ccae7084da90a06","507b26054319ff31f275ba44ddc9d2b5037bd295","e1fb7d15408988df39a80b8939972f7843f0e785","83f00af43df650fda2c5b4a04a7b31790a8ad4cf","44a76b9546427627a8d88a650c1bed3f1cc0278c","eeafa71946e81d8fe5ebf6be53e83a84dcca50ba","763499b37aacd317e7d2f512872f9ed719aacae1","3477a173e2c1005a81d042802ab0f22cc12a4d55","90be89524b72f330e49017a11e7b8a257f975e9a","e11e7db705a11f8ca250d8d6826371e550b3214757f5bb9b648c7b0fad09294b","8b9c7d2554fe315199fae656448dc193accbec162d4afff3f204ce2346507a8a","d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb","e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3","617d79c02ebac68b613d5b7cdbf001fd") by Filesystem.dest

Recommendations

To enhance your organization’s security posture, begin by ensuring all threat indicators are effectively blocked through appropriate controls. Utilize your security tools to actively search for IoCs within your environment and maintain strong cyber hygiene practices by regularly updating anti-virus software and implementing a comprehensive patch management lifecycle.

Additionally, enhance access security by implementing two-factor authentication across all relevant systems. In the event of a ransomware attack, protect against data loss by maintaining offline, encrypted backups which are regularly tested for recovery effectiveness.  Exercise caution with emails from unfamiliar sources, as they can often serve as entry points for malicious actors. By adopting these practices, you can significantly enhance your organization’s resilience against ransomware and other cyber threats.

Disclaimer

The approaches recommended herein have not been tested broadly across the TekStream customer base. They are preliminary in nature and come without any certification of efficacy.

Purpose of TekStream Security Bulletins

With the TekStream Security Bulletin, we are presenting some specific detection use cases using everyone’s favorite SIEM, Splunk. We’ve cherry-picked vulnerabilities that are not only intriguing but also directly impactful for our valued clients. These vulnerabilities were chosen based on a multitude of factors, ranging from the technology in the crosshairs to the specific sectors being targeted. This is not a blog post to fully explain or give recommendations on remediating the vulnerability or exploit – this has been discussed at length by various resources. The goal here is to aggregate the detections to maximize your chances of detecting an attempt to exploit these vulnerabilities. A part of that is gathering the list of IOCs scattered in multiple locations on the internet and looking at activity that could point to the vulnerability being exploited. Here at TekStream, we have an amazing team of cybersecurity engineers armed with a deep knowledge of logs and the secrets they hold, ready to fortify your cyber resiliency.