Piercing the through the fog.
Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Kerri-Shafer-Page: On or around early May, around May 2nd, Arctic Wolf began monitoring deployment of the new ransomware variant referred to as "Fog." What we saw was that across victim organizations, most of them were in the US, with about 80% of the victims in the education sector, and about 20% in the recreation sector.
Dave Bittner: That's Kerri Shafer-Page, vice president of Digital Forensics and Incident Response at Arctic Wolf. The research we're discussing today is titled "Lost in the Fog: A New Ransomware Threat." [ Music ]
Kerri-Shafer-Page: So the threat actors showed an interest in rapid encryption of VM storage data and then ransom payment for decryption of the said data, right? So this is pretty common. But what we didn't see is the actual exfiltration. And something I should point out too when it comes to the education sector, this is often a understaffed and underfunded sector, right? So they don't have a lot of IT support. So it's an easy target for them not to have all the security operation controls they should have in place. So oftentimes threat actors when they're able to kind of get a foothold, it's not surprising that once they get into the environment, they're able to move laterally quickly. And then the big thing is being able to elevate their privilege, which is actually how they get to the content of concern, right? Which was the cases that we saw.
Dave Bittner: Well, let's dig into some of the technical details here. I mean, can you walk us through what does a typical infection look like? How does someone find themselves falling victim to this? Kerri-Shafer-Page: Yeah, I mean, even if you have, you know, different controls in place -- I mean, these were VPN credentials that were compromised as the initial attack vector, right? So in one of the early cases we saw what's called "pass the hash" activity, where the administrator accounts were subsequently used and then remote desk protocol (RDP) connections to Windows servers running Hyper-V and Veeam were used. We also saw credential stuffing. And if you're familiar with that, that's where, you know, often credentials are used across variable different applications and not changed, right? So a bot is often used to try to leverage repeatedly going after to try to get in. But in all of the cases, we actually saw where PsExec was deployed to several of the hosts, and then again an RDP and SMB were used to access those targeted hosts. And you say that they want to get in here sort of quickly and do the things they're going to do. I mean, does that mean that in that process they're also being particularly noisy? Kerri-Shafer-Page: In some cases. I mean, that's where it's awesome to have security operations in place, an MDR type solution, where, you know, any abnormal network traffic is actually detected. But in some cases, you know, they could be quite stealth, right? We didn't see it in this particular instance, but you do kind of see where threat actors will come in -- and there's what's called, you know, a long dwell time, right? Where they're watching the patterns and the behaviors of the end-users in the environment and figuring out how best to leverage and get to where they want. So even with the right credentials and controls in place, right, we often see that, if you've got on the front end good protection but they've gotten in and moved laterally, they're not using, you know, protecting the privilege escalation, which is the biggest thing, right? Whether it's domain admin or any type of credential like that that allows them to get to the data, we often see that's where organizations fall down from a structure standpoint in keeping those controls current. And what are you seeing in terms of the ask, a dollar amount for a ransom; do you have data there?
Kerri-Shafer-Page: Well, we can't disclose on our cases what the financial ask is. And the nice thing about Arctic Wolf as well, we have a threat actor communication team, right? So ideally, you always want a client not to have to pay. But as we all recognize, especially when you're dealing with data as sensitive as education, right, where you have a lot of PII. There may be a need for a client to have to pay. So in that case it's that negotiation piece that takes over. But ultimately, you're always going into it with communications with the client to say, look, ultimately, you'd like not to pay, and if they have to, then it's that negotiation piece that comes in, right? How do we reduce that ransom if they do have to? And then it's also making sure too -- there's this concern, it's called "double extortion," right? In some cases, unfortunately, you see a client pay because they needed a crypto key. And then they turn around and they've paid for that, they may be able to unlock their data, but a threat actor has exfiltrated a version, a copy, of it and they still release it to the dark web, right? So I'm talking in general, right, of what you see when you have those concerns about negotiation with a threat actor. We have not in these circumstances seen any evidence of double extortion here.
Dave Bittner: We'll be right back. I guess where I'm coming at this from is, you know, you mentioned at the outset that the education sector in particular is often underfunded. And so I'm curious, do we see a comparatively low ask relative to other ransomware situations that we've heard of? Perhaps taking into mind that the education sector is underfunded and would not be able to fund a big ransomware ask. You see where I'm going with that?
Kerri-Shafer-Page: I totally see where you're going. And you're right, I mean, sometimes you do see threat actors have a heart, right?
Dave Bittner: It's a funny thing to say, isn't it [laughing]?
Kerri-Shafer-Page: Exactly. I feel bad, oh no, I hit a children's hospital, maybe we'll do something different. But, yeah, we have not seen that applied to these circumstances. So yeah, they don't seem to have the sensitivity there.
Dave Bittner: Yeah. And you mentioned exfiltration. Are we actually seeing exfiltration, or is it just the ransom itself, the locking up of the data?
Kerri-Shafer-Page: We have not seen any exfiltration, it's just been the encryption. And that's where I was using that kind of smash and grab, right? It looks like they're getting in. And unfortunately because of the vulnerable opportunity -- your network, I should say -- they're able to kind of laterally move quickly and get that encryption taken care of.
Dave Bittner: I see. Well, can we dig into some of the technical details here? I mean, that's something you and your colleagues have shared the information. But what are some of the highlights that you think folks should be aware of?
Kerri-Shafer-Page: I mean, it's not unusual, we said that. So did it surprise us that we didn't see exfiltration? Probably not. But I think what's most surprising to me is again it's the controls that we hope that, you know, organizations and clients kind of have in place, right? That you go through, and even if you have an incident response plan, you know, people aren't turning around and updating those. It's just like you change the batteries in your smoke alarms, right? That needs to be a consistent thing that happens. So I think, you know, that's what really needs to kind of be taken into account is that, you know, especially when you're talking about VPN credentials. I mean, a lot of times that starts potentially, if it's not a product, you know, it starts with the end-user. So it's the education. It's the security awareness of them, on to, you know, how they're setting their passwords -- are you using a phrase? There's simple things of education that can happen with the end-user. And then I think it's also, even if you have a small IT department that I referenced even for the education sector, it's like where are you spending your money, right? Like if you only could have, you know, one or two people that support it, make sure you're doing the controls that matter. Make sure you're doing the identity and the access management. Again, locking down privilege on devices that people don't need to have access to, using lapse. You know, there's a lot of different means in order to organize that. And then, you know, you asked the question earlier, with the abnormality of traffic, I think that's a really important one, right? If you could have any type of EDR solution or monitoring that's in place in order for you to help detect, you know, that type of abnormal traffic, like how do you react to it? So I think there's some basics depending on whatever budget you come from and whatever sector that's important to work through. And even if you're, you know, having to get consult -- Arctic Wolf will do this as well, but a lot of IR firms do. You know, sitting down with a client and helping them go through these preventative steps, right -- what do I need to do from a prevention and awareness standpoint so that I'm not the next victim?
Dave Bittner: Yeah. When you look at this particular ransomware payload, how do you rate its sophistication?
Kerri-Shafer-Page: You know, it's hard to tell here too if this is one actual threat actor. As you know, ransomware as a service is big business. You know, what we have seen from the casework that we analyzed is we do see a shared functional code block between the ransomware payloads. So definitely we consider that involvement from, you know, a common entity. I would say it's, you know, not overly sophisticated, but it definitely, you know, is coming from somebody that's that knows what they're doing and enough to the execution is achieving what they wanted to do, right, when it comes from an encryption standpoint. So, you know, evidence is definitely tying these cases to, you know, potentially one solo threat actor, but it's not yet conclusive. So it'll be interesting to see if this still -- you know, now that they know they've gotten the attention, right? I think there's a lot of media that's picked it up. It will be interesting if they take, you know, a greater stance and start attacking more. Like we saw in the past with some other players like Cactus and others. Or, you know, even if they start, you know, identifying themselves, right, as to who they potentially might be an affiliate of.
Dave Bittner: And how would you rate currently the scale of this threat, how widespread are you seeing this? Kerri-Shafer-Page: I mean, we've seen a fair amount, you know, our self casework that we worked. But, you know, I can't actually, you know, comment on, you know, our peer industry teams and what they're seeing. I don't know if there's enough evidence yet that's kind of, you know, been correlated to substantiate that. [ Music ] Our thanks to Kerri Shafer-Page from Arctic Wolf for joining us. The research is titled "Lost in the Fog: A New Ransomware Threat. We'll have a link in the Show Notes. And that's Research Saturday, brought to you by N2K's CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the Show Notes, or send an email to cyberwire@n2k.com. We're privileged that N2K's CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]