In the increasingly complex and dangerous landscape of cybersecurity, new actors and malware variants continually emerge, threatening the data integrity and security of organizations around the world. Recently, Artic Wolfs Labs discovered a new ransomware variant called FOG, which has started to predominantly target the education sector in the United States. This discovery comes alongside another alarm raised by Imperva researchers regarding the TellYouThePass ransomware, known since 2019, which now exploits a PHP vulnerability tracked as CVE-2024-4577.

FOG: the ransomware obscuring the education sector

FOG stands out as a highly sophisticated ransomware, designed to encrypt files and make critical data inaccessible. The authors of this threat operate in the shadows, most likely affiliated with ransomware-as-a-service (RaaS) operations. These criminal groups use compromised VPN credentials to infiltrate victims’ networks, a method that highlights the need for rigorous and secure management of login credentials.

Network administrators in the education sector are challenged to keep their guard up and take proactive measures to mitigate risks in real time. Recommended actions include constant monitoring of network activity, implementation of multi-factor authentication (MFA), and ongoing staff education on cybersecurity best practices.

TellYouThePass: Old threats with new tools

While FOG represents an emerging threat, the TellYouThePass ransomware group continues to evolve, exploiting new vulnerabilities to infect victims’ systems. PHP vulnerability CVE-2024-4577, although already patched with an update, is still being used by criminals to load malicious web shells on Windows PHP systems, paving the way for ransomware installation.

This modus operandi highlights the crucial importance of keeping systems updated with the latest security patches and implementing rigorous controls on uploading web files. Organizations must be aware of known vulnerabilities and act promptly to apply available fixes.

Cryptocurrency payments and double extortion

In both cases, the cybercriminals behind FOG and TellYouThePass demand cryptocurrency payments, typically in double-digit amounts, as a ransom for data decryption. However, security authorities strongly advise against giving in to these requests, as there is no guarantee that the data will actually be recovered or that the criminals will not otherwise spread the stolen information.

Victims of ransomware attacks must be prepared to respond without paying the ransom. Using secure and up-to-date backups can be an effective solution to recovering data without giving in to blackmail. Furthermore, it is essential to involve law enforcement agencies to appropriately address the situation and contribute to the investigation of the criminal groups responsible.

Conclusions

The discovery of new ransomware variants like FOG and the continued evolution of existing threats like TellYouThePass highlight how organizations, particularly those in the education sector, must be vigilant, informed and ready to implement security best practices to protect their data and infrastructure. Only through a combination of prevention, preparedness and effective response can the risks be mitigated and the impact of these devastating attacks reduced.