Passthrough – Wisconsin Fusion Center Report (TLP: WHITE) – Emerging Ransomware Actor Targeting VMware ESXi

The Wisconsin Fusion Center has shared an intelligence report regarding an increase in ransomware attacks within the state. They have identified a new threat actor known as “Fog” who is behind some of these attacks.

Notables from the report:

• The threat actor “Fog” has been targeting ESXi servers and encrypting VMware Virtual Machine Disks (VMDKs) and log files at the hypervisor or host level.
• Most of these attacks appear to be utilizing past practices of compromising credentials through lack of security protocols, use of exposed or unpatched firewalls and VPNs, and most commonly, different types of phishing attacks.
• Fog has shown the capability to gain access to root user credentials even if complex protected passwords were in use.

Members are encouraged to review the full report for recommendations on securing ESXi servers and best practices.

Access the full report below.