We carefully monitor adjustments within the techniques of varied cybercriminal teams. Lately, specialists from Kaspersky’s World Analysis and Evaluation Crew (GReAT) famous that, after assaults with Fog ransomware, malefactors had been publishing not solely sufferer’s information, but in addition the IP addresses of the attacked computer systems. We haven’t seen this tactic utilized by ransomware teams earlier than. On this put up, we clarify why it’s essential and what the aim of this tactic is.
Who’s the Fog ransomware group, and what’s it recognized for?
For the reason that ransomware enterprise started to show right into a full-fledged trade, the concerned cybercriminals have been splitting themselves up into numerous specializations. These days, the creators of the ransomware and the folks immediately behind the assaults are most frequently not related in any means — the previous develop the malware together with a platform for assaults and subsequent blackmailing, whereas the latter merely purchase entry to the code and infrastructure underneath the ransomware-as-a-service (RaaS) mannequin.
Fog ransomware is one such platform — first observed in early 2024. The malware is used to assault computer systems working both Home windows or Linux. As is customary amongst ransomware operators in recent times, the affected information just isn’t solely encrypted, but in addition uploaded to the attackers’ servers, after which, if the sufferer refuses to pay, revealed on a TOR web site.
Assaults utilizing Fog had been carried out in opposition to firms working within the fields of schooling, finance, and recreation. Usually, criminals used beforehand leaked VPN entry credentials to penetrate the sufferer’s infrastructure.
Why they’re publishing IP addresses?
Our specialists consider that the principle goal of publishing IP addresses is to extend the psychological strain on victims. Firstly, it will increase the traceability and visibility of an incident. The impact of publishing the identify of a sufferer firm is much less spectacular, whereas the IP tackle can rapidly inform not solely who the sufferer was — but in addition what precisely was attacked (whether or not it was a server or a pc within the infrastructure). And the extra seen the incident, the extra possible it’s to face lawsuits over information leakage and fines from regulators. Subsequently, it’s extra possible that the sufferer will make a deal and pay the ransom.
As well as, publishing an IP tackle sends a sign to different felony teams, which might use the leaked information. They turn into conscious of the tackle of a knowingly weak machine, and have entry to the knowledge downloaded from it, which might be studied and used for additional assaults on the infrastructure of the identical firm. This, in flip, makes the implications of publication much more disagreeable, and due to this fact turns into an extra deterrent to ignoring the blackmailer’s calls for.
The way to keep protected
Since most ransomware assaults nonetheless begin with worker error, we first advocate periodically elevating workers consciousness about modern-day cyberthreats (for instance, utilizing the on-line coaching platform.)
So as to not lose entry to vital information, we, as standard, advocate making backups and conserving them in storage remoted from the principle community. To forestall the ransomware from working on the corporate’s computer systems, it’s vital that every company gadget with entry to the community be geared up with an efficient safety answer. We additionally advocate that giant firms monitor exercise within the infrastructure utilizing an XDR class answer, and, if vital, contain third-party specialists in detection and response actions.
