Ransomware cyber

Asian financial institution

Jun 12, 2025 1 min read
Asian financial institution

The Fog ransomware operation compromised an Asian financial institution, leveraging VPN credentials to gain access. Post-compromise, the attackers used 'pass-the-hash' techniques to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage. Additional tools like Syteca, Stowaway, SMBExec, GC2, Adapt2x C2, Process Watchdog, PsExec, Impacket SMB, 7-Zip, MegaSync, and FreeFileSync were utilized for data exfiltration and lateral movement. The use of these uncommon tools helped the attackers evade detection.

Source: https://www.bleepingcomputer.com/news/security/fog-ransomware-attack-uses-unusual-mix-of-legitimate-and-open-source-tools/

TPRM report: https://scoringcyber.rankiteo.com/company/asianfinancialsociety

"id": "asi307061225",
"linkid": "asianfinancialsociety",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Finance',
                        'location': 'Asia',
                        'name': 'Financial institution in Asia',
                        'type': 'Financial'}],
 'attack_vector': ['Compromised VPN credentials',
                   'Pass-the-hash attacks',
                   'Exploitation of n-day flaws in Veeam Backup & Replication '
                   '(VBR) servers',
                   'Exploitation of n-day flaws in SonicWall SSL VPN '
                   'endpoints'],
 'description': 'Fog ransomware hackers are using an uncommon toolset, which '
                'includes open-source pentesting utilities and a legitimate '
                'employee monitoring software called Syteca. The attack '
                "involved compromised VPN credentials, 'pass-the-hash' "
                'attacks, and the exploitation of n-day flaws impacting Veeam '
                'Backup & Replication (VBR) servers and SonicWall SSL VPN '
                'endpoints.',
 'motivation': 'Financial gain through ransom',
 'ransomware': {'data_encryption': 'All files, including virtual machine '
                                   'storage',
                'ransomware_strain': 'Fog'},
 'references': [{'source': 'Symantec'}],
 'response': {'third_party_assistance': ['Symantec',
                                         'Carbon Black Threat Hunter team']},
 'threat_actor': 'Fog Ransomware Group',
 'title': 'Fog Ransomware Attack',
 'type': 'Ransomware',
 'vulnerability_exploited': ['Veeam Backup & Replication (VBR) servers',
                             'SonicWall SSL VPN endpoints']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.