arcticwolf.com
Open in
urlscan Pro
13.224.189.24
Public Scan
URL:
https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/
Submission: On June 13 via api from DE — Scanned from DE
Submission: On June 13 via api from DE — Scanned from DE
Form analysis
4 forms found in the DOM<form>
<span id="search_label" style="display: none;">Search</span>
<input type="text" class="st-default-search-input" aria-labelledby="search_label" onfocus="search_active()" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>
Name: mktoForm_4815 —
<form id="mktoForm_4815" onsubmit="try {_6si.send(event); } catch (error) { console.error(error);}" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutAbove"
style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" name="mktoForm_4815" digitalpi-utms-added="true">
<style type="text/css"></style>
<div class="mktoFormRow" data-wrapper-for="FirstName">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>First Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="FirstName" name="FirstName" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text" class="mktoField mktoTextField mktoHasWidth"
style="width: 150px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="LastName">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Last Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="LastName" name="LastName" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text" class="mktoField mktoTextField mktoHasWidth"
style="width: 150px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="Company">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="Company" id="LblCompany" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Company Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Company" name="Company" maxlength="255" aria-labelledby="LblCompany InstructCompany" type="text" class="mktoField mktoTextField mktoHasWidth"
style="width: 150px;"><span id="InstructCompany" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="Email">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 248px;">
<div class="mktoAsterix">*</div>* Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="Country">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Country" id="LblCountry" class="mktoLabel mktoHasWidth" style="width: 178px;">
<div class="mktoAsterix">*</div>* Country:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;">
<option value=""></option>
<option value="US">United States</option>
<option value="CA">Canada</option>
<option value="GB">United Kingdom</option>
<option value="AF">Afghanistan</option>
<option value="AX">Aland Islands</option>
<option value="AL">Albania</option>
<option value="DZ">Algeria</option>
<option value="AS">American Samoa</option>
<option value="AD">Andorra</option>
<option value="AO">Angola</option>
<option value="AI">Anguilla</option>
<option value="AQ">Antarctica</option>
<option value="AG">Antigua and Barbuda</option>
<option value="AR">Argentina</option>
<option value="AM">Armenia</option>
<option value="AW">Aruba</option>
<option value="AU">Australia</option>
<option value="AT">Austria</option>
<option value="AZ">Azerbaijan</option>
<option value="BS">Bahamas</option>
<option value="BH">Bahrain</option>
<option value="BD">Bangladesh</option>
<option value="BB">Barbados</option>
<option value="BY">Belarus</option>
<option value="BE">Belgium</option>
<option value="BZ">Belize</option>
<option value="BJ">Benin</option>
<option value="BM">Bermuda</option>
<option value="BT">Bhutan</option>
<option value="BO">Bolivia, Plurinational State of</option>
<option value="BQ">Bonaire, Sint Eustatius and Saba</option>
<option value="BA">Bosnia and Herzegovina</option>
<option value="BW">Botswana</option>
<option value="BV">Bouvet Island</option>
<option value="BR">Brazil</option>
<option value="IO">British Indian Ocean Territory</option>
<option value="BN">Brunei Darussalam</option>
<option value="BG">Bulgaria</option>
<option value="BF">Burkina Faso</option>
<option value="BI">Burundi</option>
<option value="KH">Cambodia</option>
<option value="CM">Cameroon</option>
<option value="CV">Cape Verde</option>
<option value="KY">Cayman Islands</option>
<option value="CF">Central African Republic</option>
<option value="TD">Chad</option>
<option value="CL">Chile</option>
<option value="CN">China</option>
<option value="CX">Christmas Island</option>
<option value="CC">Cocos (Keeling) Islands</option>
<option value="CO">Colombia</option>
<option value="KM">Comoros</option>
<option value="CG">Congo</option>
<option value="CD">Congo, the Democratic Republic of the</option>
<option value="CK">Cook Islands</option>
<option value="CR">Costa Rica</option>
<option value="CI">Cote d'Ivoire</option>
<option value="HR">Croatia</option>
<option value="CU">Cuba</option>
<option value="CW">Curaçao</option>
<option value="CY">Cyprus</option>
<option value="CZ">Czech Republic</option>
<option value="DK">Denmark</option>
<option value="DJ">Djibouti</option>
<option value="DM">Dominica</option>
<option value="DO">Dominican Republic</option>
<option value="EC">Ecuador</option>
<option value="EG">Egypt</option>
<option value="SV">El Salvador</option>
<option value="GQ">Equatorial Guinea</option>
<option value="ER">Eritrea</option>
<option value="EE">Estonia</option>
<option value="ET">Ethiopia</option>
<option value="FK">Falkland Islands (Malvinas)</option>
<option value="FO">Faroe Islands</option>
<option value="FJ">Fiji</option>
<option value="FI">Finland</option>
<option value="FR">France</option>
<option value="GF">French Guiana</option>
<option value="PF">French Polynesia</option>
<option value="TF">French Southern Territories</option>
<option value="GA">Gabon</option>
<option value="GM">Gambia</option>
<option value="GE">Georgia</option>
<option value="DE">Germany</option>
<option value="GH">Ghana</option>
<option value="GI">Gibraltar</option>
<option value="GR">Greece</option>
<option value="GL">Greenland</option>
<option value="GD">Grenada</option>
<option value="GP">Guadeloupe</option>
<option value="GU">Guam</option>
<option value="GT">Guatemala</option>
<option value="GG">Guernsey</option>
<option value="GN">Guinea</option>
<option value="GW">Guinea-Bissau</option>
<option value="GY">Guyana</option>
<option value="HT">Haiti</option>
<option value="HM">Heard Island and McDonald Islands</option>
<option value="VA">Holy See (Vatican City State)</option>
<option value="HN">Honduras</option>
<option value="HK">Hong Kong</option>
<option value="HU">Hungary</option>
<option value="IS">Iceland</option>
<option value="IN">India</option>
<option value="ID">Indonesia</option>
<option value="IR">Iran, Islamic Republic of</option>
<option value="IQ">Iraq</option>
<option value="IE">Ireland</option>
<option value="IM">Isle of Man</option>
<option value="IL">Israel</option>
<option value="IT">Italy</option>
<option value="IV">Ivory Coast</option>
<option value="JM">Jamaica</option>
<option value="JP">Japan</option>
<option value="JE">Jersey</option>
<option value="JO">Jordan</option>
<option value="KZ">Kazakhstan</option>
<option value="KE">Kenya</option>
<option value="KI">Kiribati</option>
<option value="KP">Korea, Democratic People's Republic of</option>
<option value="KR">Korea, Republic of</option>
<option value="XK">Kosovo</option>
<option value="KW">Kuwait</option>
<option value="KG">Kyrgyzstan</option>
<option value="LA">Lao People's Democratic Republic</option>
<option value="LV">Latvia</option>
<option value="LB">Lebanon</option>
<option value="LS">Lesotho</option>
<option value="LR">Liberia</option>
<option value="LY">Libya</option>
<option value="LI">Liechtenstein</option>
<option value="LT">Lithuania</option>
<option value="LU">Luxembourg</option>
<option value="MO">Macao</option>
<option value="MK">Macedonia, the former Yugoslav Republic of</option>
<option value="MG">Madagascar</option>
<option value="MW">Malawi</option>
<option value="MY">Malaysia</option>
<option value="MV">Maldives</option>
<option value="ML">Mali</option>
<option value="MT">Malta</option>
<option value="MH">Marshall Islands</option>
<option value="MQ">Martinique</option>
<option value="MR">Mauritania</option>
<option value="MU">Mauritius</option>
<option value="YT">Mayotte</option>
<option value="MX">Mexico</option>
<option value="FM">Micronesia</option>
<option value="MD">Moldova, Republic of</option>
<option value="MC">Monaco</option>
<option value="MN">Mongolia</option>
<option value="ME">Montenegro</option>
<option value="MS">Montserrat</option>
<option value="MA">Morocco</option>
<option value="MZ">Mozambique</option>
<option value="MM">Myanmar</option>
<option value="NA">Namibia</option>
<option value="NR">Nauru</option>
<option value="NP">Nepal</option>
<option value="NL">Netherlands</option>
<option value="NC">New Caledonia</option>
<option value="NZ">New Zealand</option>
<option value="NI">Nicaragua</option>
<option value="NE">Niger</option>
<option value="NG">Nigeria</option>
<option value="NU">Niue</option>
<option value="NF">Norfolk Island</option>
<option value="MP">Northern Mariana Islands</option>
<option value="NO">Norway</option>
<option value="OM">Oman</option>
<option value="PK">Pakistan</option>
<option value="PW">Palau</option>
<option value="PS">Palestine</option>
<option value="PA">Panama</option>
<option value="PG">Papua New Guinea</option>
<option value="PY">Paraguay</option>
<option value="PE">Peru</option>
<option value="PH">Philippines</option>
<option value="PN">Pitcairn</option>
<option value="PL">Poland</option>
<option value="PT">Portugal</option>
<option value="PR">Puerto Rico</option>
<option value="QA">Qatar</option>
<option value="RE">Reunion</option>
<option value="RO">Romania</option>
<option value="RU">Russian Federation</option>
<option value="RW">Rwanda</option>
<option value="BL">Saint Barthélemy</option>
<option value="SH">Saint Helena, Ascension and Tristan da Cunha</option>
<option value="KN">Saint Kitts and Nevis</option>
<option value="LC">Saint Lucia</option>
<option value="MF">Saint Martin (French part)</option>
<option value="PM">Saint Pierre and Miquelon</option>
<option value="VC">Saint Vincent and the Grenadines</option>
<option value="WS">Samoa</option>
<option value="SM">San Marino</option>
<option value="ST">Sao Tome and Principe</option>
<option value="SA">Saudi Arabia</option>
<option value="SN">Senegal</option>
<option value="RS">Serbia</option>
<option value="SC">Seychelles</option>
<option value="SL">Sierra Leone</option>
<option value="SG">Singapore</option>
<option value="SX">Sint Maarten (Dutch part)</option>
<option value="SK">Slovakia</option>
<option value="SI">Slovenia</option>
<option value="SB">Solomon Islands</option>
<option value="SO">Somalia</option>
<option value="ZA">South Africa</option>
<option value="GS">South Georgia and the South Sandwich Islands</option>
<option value="SS">South Sudan</option>
<option value="ES">Spain</option>
<option value="LK">Sri Lanka</option>
<option value="SD">Sudan</option>
<option value="SR">Suriname</option>
<option value="SJ">Svalbard and Jan Mayen</option>
<option value="SZ">Swaziland</option>
<option value="SE">Sweden</option>
<option value="CH">Switzerland</option>
<option value="SY">Syrian Arab Republic</option>
<option value="TW">Taiwan</option>
<option value="TJ">Tajikistan</option>
<option value="TZ">Tanzania, United Republic of</option>
<option value="TH">Thailand</option>
<option value="TL">Timor-Leste</option>
<option value="TG">Togo</option>
<option value="TK">Tokelau</option>
<option value="TO">Tonga</option>
<option value="TT">Trinidad and Tobago</option>
<option value="TN">Tunisia</option>
<option value="TR">Turkey</option>
<option value="TM">Turkmenistan</option>
<option value="TC">Turks and Caicos Islands</option>
<option value="TV">Tuvalu</option>
<option value="UG">Uganda</option>
<option value="UA">Ukraine</option>
<option value="AE">United Arab Emirates</option>
<option value="UY">Uruguay</option>
<option value="VI">US Virgin Islands</option>
<option value="UZ">Uzbekistan</option>
<option value="VU">Vanuatu</option>
<option value="VE">Venezuela, Bolivarian Republic of</option>
<option value="VN">Viet Nam</option>
<option value="VG">Virgin Islands, British</option>
<option value="WF">Wallis and Futuna</option>
<option value="EH">Western Sahara</option>
<option value="YE">Yemen</option>
<option value="ZM">Zambia</option>
<option value="ZW">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="">
<div class="mktoPlaceholder mktoPlaceholderState"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="">
<div class="mktoPlaceholder mktoPlaceholderPostalCode"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="mktoCheckbox_89025_0 Consent_Opt_In__c">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="Consent_Opt_In__c" id="LblConsent_Opt_In__c" class="mktoLabel mktoHasWidth d-none" style="width: 10px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 458px;"><input name="Consent_Opt_In__c" id="mktoCheckbox_89025_0" type="checkbox" value="yes"
aria-labelledby="LblConsent_Opt_In__c LblmktoCheckbox_89025_0 InstructConsent_Opt_In__c" class="mktoField"><label for="mktoCheckbox_89025_0" id="LblmktoCheckbox_89025_0">Yes, I would like to receive marketing emails from Arctic Wolf about
solutions that may be of interest to me.</label></div><span id="InstructConsent_Opt_In__c" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow" data-wrapper-for="">
<div class="mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset mktoHasWidth" style="width: 5px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 360px;"><span>By submitting this form I agree to the
</span><strong><a href="https://arcticwolf.com/terms-of-use/" target="_blank" id="">Website Terms of Use</a></strong><span><span> </span>and
the<span> </span></span><strong><a href="https://arcticwolf.com/privacy-policy/" target="_blank" id="">Arctic Wolf Privacy Policy</a>.<br></strong></div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton" name="mktoButton_4815">Submit</button></span></div><input type="hidden" name="formid"
class="mktoField mktoFieldDescriptor" value="4815"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="840-OSQ-661"><input type="hidden" name="utm_orig_medium__c" class="mktoField mktoFieldDescriptor"
value="none"><input type="hidden" name="utm_orig_source__c" class="mktoField mktoFieldDescriptor" value="none">
</form>
<form onsubmit="try {_6si.send(event); } catch (error) { console.error(error);}" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutAbove"
style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>
<form>
<input class="st-default-search-input st-search-set-focus" type="text" value="" placeholder="Search this site" aria-label="Search this site" id="st-overlay-search-input" autocomplete="off" autocorrect="off" autocapitalize="off">
</form>
Text Content
___ * Arctic Wolf 2024 Trends Report: Explore the State of Cybersecurity DOWNLOAD * Search EXPERIENCED A BREACH? CONTACT US * EN * EN-GB (United Kingdom) * FR (Français) * DE (Deutsch) * EN * EN-GB (United Kingdom) * FR (Français) * DE (Deutsch) * Solutions * * * * SOLUTIONS * * INDUSTRIES * * * Arctic Wolf Solutions The cybersecurity industry has an effectiveness problem. Despite new technologies emerging every year, high-profile breaches continue to occur. To prevent these attacks, the industry needs to adopt a new approach by focusing on security operations. That’s where Arctic Wolf can help. EXPLORE BUNDLES * * Managed Detection and Response * QUICKLY DETECT, RESPOND, AND RECOVER FROM ADVANCED THREATS. * Cloud Detection and Response * DETECT AND RESPOND TO ADVANCED THREATS TARGETING YOUR CLOUD INFRASTRUCTURE AND APPLICATIONS. * Managed Risk * DISCOVER, ASSESS, AND HARDEN YOUR ENVIRONMENT AGAINST DIGITAL RISKS. * Cloud Security Posture Management (CSPM) * EXPLORE, HARDEN, AND SIMPLIFY YOUR CLOUD ENVIRONMENT AGAINST MISCONFIGURATION VULNERABILITIES. * Managed Security Awareness® * ENGAGE AND PREPARE EMPLOYEES TO RECOGNIZE AND NEUTRALIZE SOCIAL ENGINEERING ATTACKS. * Incident Response * RECOVER QUICKLY FROM CYBER ATTACKS AND BREACHES, FROM THREAT CONTAINMENT TO BUSINESS RESTORATION. * * Industries * Overview * Compliance Solutions * Financial Services * Healthcare * State & Local Government * Manufacturing * Legal * View All * How It Works * * * * HOW IT WORKS * * * How it Works Built on an open XDR architecture, the Arctic Wolf Platform® combines with our Concierge Delivery Model to work as an extension of your team, proactively protect your environment, and strengthen your security posture. How It Works FAQ * * Security Operations Cloud * DELIVERING SECURITY OPERATIONS OUTCOMES. * Security Operations Platform * COLLECT, ENRICH, ANALYZE. * Platform Integrations * ECOSYSTEM INTEGRATIONS AND TECHNOLOGY PARTNERSHIPS. * * Concierge Delivery Model * TAILORED SECURITY EXPERTISE AND GUIDED RISK MITIGATION. * Arctic Wolf Security Teams * SECURITY EXPERTS PROACTIVELY PROTECTING YOU 24×7. * Go Inside Our SOC * MEET SOME OF THE SECURITY EXPERTS WORKING ALONGSIDE YOU AND YOUR TEAM. * * Security Expertise, Delivered Our Arctic Wolf® Security Teams ensure we have a complete understanding of your unique IT environment right from the start. SEE OUR TEAMS IN ACTION * Why Arctic Wolf * * * Why Arctic Wolf? Learn more about our unique approach to cybersecurity and why Arctic Wolf has emerged as a leader in the industry. * Why Arctic Wolf * * * * * Industry Analysis * * * Awards & Recognition * * * Customer Perspectives * * * * * Security Operations Warranty * * * Arctic Wolf Labs * Resources * * * Resources * Resource Center * Blog * Events * Case Studies * Webinars * Analyst Reports * Podcasts * Interactive Tools * Glossary * * TRENDING RESOURCES * Arctic Wolf 2024 Trends Report LEARN HOW ORGANIZATIONS ACROSS THE GLOBE ARE RESPONDING TO THREATS AND CHALLENGES, AND IMPLEMENTING PROACTIVE MEASURES TO MITIGATE CYBER RISK. DOWNLOAD Ransomware Explained UNDERSTANDING RANSOMWARE — FROM ITS ORIGINS TO ITS IMPACTS TO THE TTPS THAT ALLOW RANSOMWARE GANGS TO EXPLOIT VICTIM ORGANIZATIONS AND MAKE OFF WITH MILLIONS IN RANSOM PAYMENTS AND EXTORTION FEES. LEARN MORE Arctic Wolf Labs 2024 Threat Report THE ELITE SECURITY RESEARCHERS, DATA SCIENTISTS, AND SECURITY DEVELOPERS OF ARCTIC WOLF LABS SHARE FORWARD-THINKING INSIGHTS ALONG WITH PRACTICAL GUIDANCE YOU CAN APPLY TO PROTECT YOUR ORGANIZATION. DOWNLOAD * * SECURITY BULLETINS * June 4, 2024 CVE-2024-4358 & CVE-2024-1800: POC EXPLOIT PUBLISHED FOR PRE-AUTHENTICATED RCE CHAIN IN PROGRESS TELERIK REPORT SERVER June 3, 2024 STOLEN CREDENTIAL CAMPAIGN AFFECTING SNOWFLAKE ENVIRONMENTS May 30, 2024 OKTA CROSS-ORIGIN AUTHENTICATION FEATURE IN CUSTOMER IDENTITY CLOUD TARGETED IN CREDENTIAL STUFFING ATTACKS VIEW ALL * Partners * Overview * Solution Providers * Managed Service Providers * OEM Solutions * Cyber Insurance Providers * Company * * * * COMPANY * * * About Arctic Wolf We envision a future without cyber risk. Every organization should be so effective at security operations that both the likelihood and impact of a cyber attack is minimized to the point where risk is essentially zero. * * About Us * Leadership * Our Values * F1 Racing * * Newsroom * Blog * Press Releases * IndyCar Racing * * Careers * Contact Us * Customers * Pack Impact * EXPERIENCED A BREACH? * REQUEST A DEMO < BACK TO BLOG * June 4, 2024 * by Stefan Hostetler, Steven Campbell, Christopher Prest, Connor Belfiore, Markus Neis, Joe Wedderspoon, Rick McQuown and Arctic Wolf Labs Team LOST IN THE FOG: A NEW RANSOMWARE THREAT Share : SUMMARY On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector. We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation. ABOUT FOG RANSOMWARE Starting in early May, the Arctic Wolf Incident Response team began investigating cases involving the deployment of the Fog ransomware variant against US organizations in the education and recreation sectors. We refer to Fog as a ransomware variant rather than a group to distinguish between the entities responsible for creating the encryptor software and those conducting the hands-on-keyboard attacks against victims. This is a critical distinction because ransomware groups sometimes project an image of being a singular group when they are in fact composed of independent affiliate groups. At this time, the organizational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown. In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials. Notably, the remote access occurred through two separate VPN gateway vendors. The last documented threat activity in our cases occurred on May 23, 2024. Early in one of the cases, pass-the-hash activity was observed against administrator accounts which were subsequently used to establish RDP connections to Windows Servers running Hyper-V and Veeam. In another case, evidence of credential stuffing was observed, which was thought to facilitate lateral movement throughout the environment. In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts. On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors. Threat actors were observed encrypting VMDK files in VM storage and deleting backups from object storage in Veeam. Threat actors left behind ransom notes on affected systems and deployed a functionally identical ransomware payload in all cases. Other than a unique chat code, the ransom notes were identical. Other than the .onion address used for communication between the victim and threat actor, we have not observed an additional dark web presence such as a data leak site. TECHNICAL ANALYSIS RANSOMWARE PAYLOAD The ransomware encryptor binary exhibits common techniques that are typically leveraged in other ransomware variants. The samples we analyzed from different cases contained many similarities, including identical functional code blocks and instructions, indicating that they were compiled from the same source code. When the sample first executes, it attempts to create a new file called DbgLog.sys in the special directory %AppData%. The DbgLog.sys file is populated with log lines indicating the status and error conditions of the ransomware as each technique is executed. During the initialization routine, the sample references NTDLL.DLL and the function NtQuerySystemInformation. Notably, the NT API is part of the Windows internal APIs and is typically recommended not to be called directly since it can change with each version of Windows. The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available. This information can be useful when determining how many threads the multi-threaded encryption routine should allocate. Once the initialization routine is complete, the command line arguments are checked for specific options: * NOMUTEX: Does not create a mutex, this will allow multiple versions of the ransomware to execute at the same time. * TARGET: Specific location to begin discovery. * CONSOLE: Create a new console window for the calling process and attach the standard output and error. Further customization is present in the sample via a JSON based configuration block. The following configurable options will control what activities takes place pre and post encryption: * RSAPubKey: Embedded public key used for encryption * LockedExt: Post encryption file extension * NotefileName: Name of the ransomware note * ShutdownProcesses: Ensures the processes are terminated prior to encrypting * ShutdownServices: Ensures the services are stopped prior to encrypting Volumes, network resources, and files are discovered using the standard Windows APIs such as: FindFirstVolume, WNetOpenEnum and FindFirstFile. The Unicode variants of these functions were used in each case. Using the system information discovered earlier, the sample configures a thread pool dedicated to encrypting all the discovered files. This thread pool uses the logical processor information with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and the CryptEncrypt are called during the process. Once the encryption is complete, the file extension is added to each file using the Unicode version of the MoveFile Windows API and the LockedExt option, in the cases observed the extensions .FOG and .FLOCKED were configured. A ransom note is written to the disk using the configured Notefilename option located in the configuration block, in the cases observed the note file was named readme.txt. Before the sample terminates, the volume shadow copy is deleted by creating a new process via the CreateProcess function with the command line: vssadmin.exe delete shadows /all /quiet. By deleting the volume shadow copy using the /all switch, the sample will delete all the specified volume’s shadow copies, and the /quiet switch will ensure no messages are displayed during the deletion. TACTICS, TECHNIQUES, AND PROCEDURES (TTPS) Tactic Technique Sub-techniques or Tools Initial Access T1133: External Remote Services T1078: Valid Accounts • Compromised VPN Credentials Discovery T1046: Network Service Discovery • SoftPerfect Network Scanner • Advanced Port Scanner T1135: Network Share Discovery • SharpShares Lateral Movement T1021: Remote Services • T1021.001: Remote Desktop Protocol • T1021.002: SMB/Windows Admin Shares T1570: Lateral Tool Transfer • PsExec Credential Access T1003: OS Credential Dumping • T1003.003: NTDS T1555: Credentials from Password Stores • PowerShell script (Veeam-Get-Creds.ps1) to obtain passwords from the Veeam Backup and Replication Credentials Manager T1110: Brute Force • T1110.004: Credential Stuffing Persistence T1136: Create Account • T1136.001: Local Account (Administrator) Execution T1059: Command and Scripting Interpreter • T1059.003: Windows Command Shell T1569: System Services • T1569.002: Service Execution (PsExec) Defense Evasion T1562: Impair Defenses • T1562.001: Disable or Modify Tools (Windows Defender/AV) T1550: Use Alternate Authentication Material • T1550.002: Pass the Hash T1078: Valid Accounts T1140: Deobfuscate/Decode Files or Information T1070: Indicator Removal • T1070.004: File Deletion Impact T1486: Data Encrypted for Impact T1490: Inhibit System Recovery • vssadmin.exe used to delete volume shadow copies on the system T1489: Service Stop TOOLS Name Description PsExec A tool that allows threat actors to execute processes on other systems with full interactivity for console applications. The threat actor leveraged PsExec to move laterally and execute commands. Metasploit Penetration testing framework. Metasploit usage was detected against a Veaam server. SoftPerfect Network Scanner Network administration tool for Windows, macOS, and Linux. The threat actor used SoftPerfect to discover network services. Advanced Port Scanner Free network and port scanner. The threat actor used Advanced Port Scanner to discover network services. SharpShares An open-source tool used to enumerate accessible network shares. The threat actor used SharpShares v2.3 to discover network shares. Veeam-Get-Creds.ps1 An open-source PowerShell script used by the threat actor to obtain passwords from the Veeam Backup and Replication Credentials Manager HOW ARCTIC WOLF PROTECTS ITS CUSTOMERS Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers. Arctic Wolf Labs has leveraged threat intelligence around Fog ransomware to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor. CONCLUSION While few details are known about the threat actors involved, the shared functional code blocks between ransomware payloads suggest that the same source code was shared between the payloads. This may implicate the involvement of a common entity between the cases. On the other hand, despite similarities, evidence tying together the cases under a single threat actor is not conclusive. The threat actors in the cases described here show an interest in rapid encryption of VM storage data and ransom payment for decryption of that data. Diverging from common practice in most ransomware intrusions, the threat actors were not observed to exfiltrate data from hosts being encrypted. Considering the short duration between initial intrusion and encryption, the threat actors appear more interested in a quick payout as opposed to exacting a more complex attack involving data exfiltration and a high-profile leak site. This evidence, along with known victimology, suggests that the threat actors are financially motivated and primarily target the education sector. Although the tactics employed in these cases are fairly typical of ransomware activity, these threats serve as a reminder of the importance of secure, off-site backup infrastructure and defense-in-depth to render attacks impotent as early as possible. APPENDIX INDICATORS OF COMPROMISE (IOCS) Indicator Type Description f7c8c60172f9ae4dab9f61c28ccae7084da90a06 SHA1 Fog ransomware binary (lck.exe) 507b26054319ff31f275ba44ddc9d2b5037bd295 SHA1 Fog ransomware binary (locker_out.exe) e1fb7d15408988df39a80b8939972f7843f0e785 SHA1 Fog ransomware binary (fs.exe) 83f00af43df650fda2c5b4a04a7b31790a8ad4cf SHA1 Fog ransomware binary (locker_out.exe) 44a76b9546427627a8d88a650c1bed3f1cc0278c SHA1 Fog ransomware binary (mon.dll) eeafa71946e81d8fe5ebf6be53e83a84dcca50ba SHA1 PsExec (psexesvc.exe) 763499b37aacd317e7d2f512872f9ed719aacae1 SHA1 Advanced Port Scanner (advanced_port_scanner.exe) 3477a173e2c1005a81d042802ab0f22cc12a4d55 SHA1 Advanced Port Scanner (advanced_port_scanner_2.5.3869.exe) 90be89524b72f330e49017a11e7b8a257f975e9a SHA1 SharpShares (sharpshares(1).exe) DESKTOP-7G1IC87 Hostname Threat actor’s hostname Kali Hostname Threat actor’s hostname VPS65CCB8B75352 Hostname Threat actor’s hostname PACKERP-VUDV41R Hostname Threat actor’s hostname readme.txt Filename Ransom note DBgLog.sys Filename Log file created by ransomware binary Veeam-Get-Creds.ps1 Filename PowerShell script used to obtain passwords from Veeam Backup and Replication Credentials Manager PSEXESVC.exe Filename PsExec netscan.exe Filename SoftPerfect Network Scanner .flocked File Extension Appended file extension to encrypted files .fog File Extension Appended file extension to encrypted files 5.230.33[.]176 IP Address IP address used by the threat actor to login to VPN appliance 77.247.126[.]200 IP Address IP address used by the threat actor to login to VPN appliance 107.161.50[.]26 IP Address IP address used by the threat actor to login to VPN appliance DETECTION OPPORTUNITIES ENDPOINT The Veeam-Get-Creds.ps1 PowerShell script includes the following strings: [System.Security.Cryptography.ProtectedData]::Unprotect [System.Security.Cryptography.DataProtectionScope]::LocalMachine SqlDatabaseName Detecting occurrences of all 3 strings in PowerShell script block logging may be able to identify usage of this tool. As part of our Managed Detection and Response service, Arctic Wolf has detections in place for this technique, in addition to other techniques employed by this threat actor. ADDITIONAL RESOURCES Get forward-thinking insights along with practical guidance you can apply to your organization in the Arctic Wolf Labs 2024 Threat Report. Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report. ABOUT ARCTIC WOLF LABS Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large. AUTHORS STEFAN HOSTETLER Stefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively. STEVEN CAMPBELL Steven Campbell is a Lead Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft. CHRISTOPHER PREST Christopher is a Lead Security Researcher and a 17-year veteran in Software and Application security development, coupled with 2 years of cutting edge detection engineering and security research. A seasoned expert, Christopher focuses on Malware analysis and reverse engineering to shape the future of cybersecurity. CONNOR BELFIORE Connor Belfiore is a Senior Threat Intelligence Analyst at Arctic Wolf Incident Response. He has more than five years of experience in threat intelligence, financial crimes investigation, and blockchain analysis. MARKUS NEIS Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks. JOE WEDDERSPOON Joe Wedderspoon is a Sr. Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 6 years of operational experience in incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors. RICK MCQUOWN Rick McQuown is a senior forensic Analyst at Arctic Wolf Incident Response and a 22-year veteran of digital forensic investigations specializing in full disk image forensics. Over the years, Rick has trained hundreds of forensic practitioners in advanced forensics, including EnCase and Memory Forensics. STEFAN HOSTETLER, STEVEN CAMPBELL, CHRISTOPHER PREST, CONNOR BELFIORE, MARKUS NEIS, JOE WEDDERSPOON, RICK MCQUOWN AND ARCTIC WOLF LABS TEAM Share : PrevPreviousCVE-2024-4358 & CVE-2024-1800: PoC Exploit Published for Pre-Authenticated RCE Chain in Progress Telerik Report Server NextThe History of RansomwareNext Table of Contents * Summary * About Fog Ransomware * Technical Analysis * Tactics, Techniques, and Procedures (TTPs) * Tools * How Arctic Wolf Protects Its Customers * Conclusion * Appendix * Detection Opportunities * Additional Resources * About Arctic Wolf Labs * Authors * * Continue Reading Categories * Cloud Security * Cyber Attacks and Breaches * Cyber Insurance * Managed Detection and Response * Podcasts * Regulatory Compliance * Security Awareness * Security Bulletins * Vulnerability Management Subscribe to our Monthly Newsletter * First Name: * Last Name: * Company Name: * * Business Email: * * Country: United StatesCanadaUnited KingdomAfghanistanAland IslandsAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia, Plurinational State ofBonaire, Sint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCape VerdeCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo, the Democratic Republic of theCook IslandsCosta RicaCote d'IvoireCroatiaCubaCuraçaoCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHoly See (Vatican City State)HondurasHong KongHungaryIcelandIndiaIndonesiaIran, Islamic Republic ofIraqIrelandIsle of ManIsraelItalyIvory CoastJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea, Democratic People's Republic ofKorea, Republic ofKosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMacedonia, the former Yugoslav Republic ofMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesiaMoldova, Republic ofMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorthern Mariana IslandsNorwayOmanPakistanPalauPalestinePanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarReunionRomaniaRussian FederationRwandaSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwazilandSwedenSwitzerlandSyrian Arab RepublicTaiwanTajikistanTanzania, United Republic ofThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUruguayUS Virgin IslandsUzbekistanVanuatuVenezuela, Bolivarian Republic ofViet NamVirgin Islands, BritishWallis and FutunaWestern SaharaYemenZambiaZimbabwe * Yes, I would like to receive marketing emails from Arctic Wolf about solutions that may be of interest to me. By submitting this form I agree to the Website Terms of Use and the Arctic Wolf Privacy Policy. Submit CONTINUE READING Four Ways to Prevent Credential Theft and Credential-Based Attacks READ MORE ❯ June 7, 2024 The History of Ransomware READ MORE ❯ June 5, 2024 Lost in the Fog: A New Ransomware Threat READ MORE ❯ June 4, 2024 © 2024 Arctic Wolf * * * * GLOBAL HEADQUARTERS ARCTIC WOLF NETWORKS 8939 COLUMBINE RD, SUITE 150 EDEN PRAIRIE, MN 55347 1.888.272.8429 * 𝕏 * REQUEST A DEMO * * Solutions * Managed Detection and Response * Cloud Detection and Response * Managed Risk * Cloud Security Posture Management * Managed Security Awareness * Incident Response * * Company * Contact Us * Careers * Leadership * Newsroom * Partners * Why Partner with Arctic Wolf? * * Resources * Blog * Case Studies * Webinars * Events * Analyst Reports * Newsletter * * * * © 2024 ARCTIC WOLF NETWORKS INC. ALL RIGHTS RESERVED. PRIVACY NOTICE TERMS OF USE COOKIE POLICY ACCESSIBILITY STATEMENT INFORMATION SECURITY SUSTAINABILITY STATEMENT COOKIE-EINSTELLUNGEN Wenn Sie auf „Alle Cookies akzeptieren“ klicken, stimmen Sie der Speicherung von Cookies auf Ihrem Gerät zu, um die Websitenavigation zu verbessern, die Websitenutzung zu analysieren und unsere Marketingbemühungen zu unterstützen. Alle Cookies akzeptieren Alle ablehnen Cookie-Einstellungen DATENSCHUTZ-PRÄFERENZ-CENTER Wenn Sie eine Website besuchen, kann diese Informationen über Ihren Browser abrufen oder speichern. Dies geschieht meist in Form von Cookies. Hierbei kann es sich um Informationen über Sie, Ihre Einstellungen oder Ihr Gerät handeln. Meist werden die Informationen verwendet, um die erwartungsgemäße Funktion der Website zu gewährleisten. Durch diese Informationen werden Sie normalerweise nicht direkt identifiziert. Dadurch kann Ihnen aber ein personalisierteres Web-Erlebnis geboten werden. Da wir Ihr Recht auf Datenschutz respektieren, können Sie sich entscheiden, bestimmte Arten von Cookies nicht zulassen. Klicken Sie auf die verschiedenen Kategorieüberschriften, um mehr zu erfahren und unsere Standardeinstellungen zu ändern. Die Blockierung bestimmter Arten von Cookies kann jedoch zu einer beeinträchtigten Erfahrung mit der von uns zur Verfügung gestellten Website und Dienste führen. Weitere Informationen Alle zulassen EINWILLIGUNGSPRÄFERENZEN VERWALTEN SOCIAL-MEDIA-COOKIES Social-Media-Cookies Diese Cookies werden von einer Reihe von Social Media-Diensten gesetzt, die wir auf der Website verwenden, damit Sie unsere Inhalte mit Ihren Freunden und Netzwerken teilen können. Diese Cookies sind in der Lage, Ihren Browser über andere Websites hinweg zu verfolgen und ein Profil Ihrer Interessen zu erstellen. Dies kann sich auf Inhalte und Nachrichten auswirken, die Sie auf anderen Websites sehen. Wenn Sie diese Cookies nicht zulassen, können Sie diese Freigabetools möglicherweise nicht verwenden oder sehen. UNBEDINGT ERFORDERLICHE COOKIES Immer aktiv Diese Cookies sind zur Funktion der Website erforderlich und können in Ihren Systemen nicht deaktiviert werden. In der Regel werden diese Cookies nur als Reaktion auf von Ihnen getätigte Aktionen gesetzt, die einer Dienstanforderung entsprechen, wie etwa dem Festlegen Ihrer Datenschutzeinstellungen, dem Anmelden oder dem Ausfüllen von Formularen. Sie können Ihren Browser so einstellen, dass diese Cookies blockiert oder Sie über diese Cookies benachrichtigt werden. Einige Bereiche der Website funktionieren dann aber nicht. Diese Cookies speichern keine personenbezogenen Daten. LEISTUNGS-COOKIES Leistungs-Cookies Diese Cookies ermöglichen es uns, Besuche und Verkehrsquellen zu zählen, damit wir die Leistung unserer Website messen und verbessern können. Sie unterstützen uns bei der Beantwortung der Fragen, welche Seiten am beliebtesten sind, welche am wenigsten genutzt werden und wie sich Besucher auf der Website bewegen. Alle von diesen Cookies erfassten Informationen werden aggregiert und sind deshalb anonym. Wenn Sie diese Cookies nicht zulassen, können wir nicht wissen, wann Sie unsere Website besucht haben. COOKIES FÜR MARKETINGZWECKE Cookies für Marketingzwecke Diese Cookies können über unsere Website von unseren Werbepartnern gesetzt werden. Sie können von diesen Unternehmen verwendet werden, um ein Profil Ihrer Interessen zu erstellen und Ihnen relevante Anzeigen auf anderen Websites zu zeigen. Sie speichern nicht direkt personenbezogene Daten, basieren jedoch auf einer einzigartigen Identifizierung Ihres Browsers und Internet-Geräts. Wenn Sie diese Cookies nicht zulassen, werden Sie weniger gezielte Werbung erleben. FUNKTIONELLE COOKIES Funktionelle Cookies Mit diesen Cookies ist die Website in der Lage, erweiterte Funktionalität und Personalisierung bereitzustellen. Sie können von uns oder von Drittanbietern gesetzt werden, deren Dienste wir auf unseren Seiten verwenden. Wenn Sie diese Cookies nicht zulassen, funktionieren einige oder alle dieser Dienste möglicherweise nicht einwandfrei. Back Button COOKIE-LISTE Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Alle ablehnen Meine Auswahl bestätigen Close suggested results