Research conducted by Arctic Wolf Labs has identified a new ransomware variant named Fog. This variant has been detected in multiple incidents, displaying consistent characteristics across them. Most of Fog’s targets are based in the United States, with 80% of attacks aimed at the education sector and 20% targeting the recreation industry.

Fog is referred to as a ransomware variant rather than a ransomware group to distinguish between the creators of the encryptor software and the attackers who deploy it. Currently, the structure of the group or groups responsible for using Fog ransomware remains unknown. The research suggests that additional insights and details will be incorporated as more information about Fog becomes available.

The research has shown that threat actors in investigated cases gained access to target environments by exploiting compromised VPN credentials. Two separate VPN gateway vendors were leveraged for remote access.