Researchers issue warning over new ransomware variant targeting the education sector

Ransomware concept image showing digital padlock in blue on dark background
(Image credit: Getty Images)

Security researchers have issued a warning over a new ransomware variant being used in threat campaigns targeting the education sector in the US.

Arctic Wolf Labs released a report on the new ransomware, dubbed ‘Fog’, which their researchers had been studying for the last month.

On 2 May 2024, Arctic Wolf Labs researchers began investigating a series of cases where threat actors had deployed the Fog ransomware against US organizations in the education and recreation sector.

The report noted that it appears the variant is deployed along similar lines to other ransomware operations that have gained traction in recent years, making a distinction between the entity behind the encryptor software, or ransomware payload, and affiliates linked to the designer who actually carried out the ‘hands-on-keyboard’ attack.

In each of the cases investigated in the report, researchers identified a common initial access method leveraging compromised VPN credentials to secure remote access to the target system.

In one case, the threat actors employed the pass the hash technique to access administration accounts and establish remote desktop protocol (RDP) connections to Windows servers running Hyper-V and Veeam software.

In another instance, researchers found evidence of credential stuffing that they speculated was used to enable lateral movement throughout the victim’s environment.

The payload itself bore many similarities to the encryptor software used in other ransomware variants, and the samples analyzed across these cases exhibited evidence they were compiled from the same source code.

New ransomware has unusual extortion methods 

The extortion tactics used in the attacks studied by Arctic Wolf Labs showed the groups deploying Fog are not following the standard operating procedures of previous ransomware operators.

Once the attacker successfully encrypted the victim’s data, they were observed to leave identical ransom notes, including an .onion address the victim can use to begin negotiations.

There was no evidence of the group attempting to exfiltrate the data to employ the increasingly popular double - or triple - extortion techniques to ratchet up the pressure on the victim.

Accordingly, the report notes the researchers had not observed any additional presence of the groups behind the attacks on the dark web, such as posting the victims on a data leak site or listing any stolen data on underground cyber crime forums.

Speaking to ITPro, David Sancho, senior antivirus researcher at Trend Micro said that the relatively basic feature-set being deployed by the group indicates they are still in the process of developing their operation.

“We’re aware of threat actor activity using the 'Fog' ransomware variant. It’s important to note that this ransomware uses fewer features than some of the larger competing ransomware groups. This suggests that the threat actors using 'Fog' are likely still in the process of developing a full-fledged ransomware tool,’ he noted.

“Limiting themselves to encrypting and failing to leverage more extortion techniques, for example, narrows the pool of potential targets to those without solid backup management systems. It’s possible that successful attacks could be followed with more features being added to the ransomware, including exfiltration and a data leak site, to put more pressure on targets to pay a ransom.” 

Education sector remains an easy target

The education sector was a top target for ransomware in 2023, with research from Sophos indicating that 79% and 80% of higher and lower education institutions were compromised by a ransomware attack over the course of the year.

This trend looks set to continue, with every victim studied by the researchers at Arctic Wolf Labs being based in the US, with 80% operating in the education sector and 20% in recreation.  

Tim Grieveson, SVP and global risk advisor at Bitsight, told ITPro that organizations in the education sector often struggle with their defense posture as a result of limited funding, limited understanding of their third party risks, and resource allocation that often neglects cyber resilience.

“Education doesn’t seem to do as well because they may not have got the right investments, they may not understand what their third-party supplier posture looks like, they may not understand what their own posture looks like,” he explained.

“They may not necessarily have the board buy-in because it might be a combination of multiple organizations rather than a single enterprise. In education, typically their investments are around the students and security is an afterthought.”

Sancho cautioned against the suggestion the group is specifically targeting the education sector, however, due to the limited sample size available to Arctic Wolf Labs when conducting their research.

“I’d warn against any suggestion that threat actors using “Fog” are major ransomware players targeting the education sector. The sample size of observed attacks by Arctic Wolf, might split these attacks 80% / 20% between education and recreational – but this is also due to a small sample size of 5 or less victims, echoing our own telemetry of the impact of this group,” Sancho said.

“To put that into context, in May we saw at least 213 companies who had their data compromised, leaked and posted on ransomware extortion sites and many more targeted.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.