Fog Ransomware Targets US Schools Through Stolen VPNs

A ransomware variant called Fog has been systematically targeting US educational organizations by exploiting stolen VPN credentials. Arctic Wolf Labs, which has been tracking the campaign, reports that 80% of affected organizations operate in the education sector. The remaining 20% are recreation organizations. All known victims are located in the United States.

The attacks highlight a persistent problem: underfunded IT departments managing remote access infrastructure without adequate security controls.

Attack Chain

Fog operators don't break down doors—they walk through unlocked ones. In every case Arctic Wolf investigated, attackers gained initial access through compromised VPN credentials. Two different VPN gateway vendors were observed, suggesting the attackers aren't exploiting vendor-specific vulnerabilities but rather abusing valid credentials obtained elsewhere.

Where those credentials come from varies. Password reuse exposes accounts when employees' personal data leaks from unrelated breaches. Infostealer malware harvests credentials from infected machines. Phishing campaigns target staff with access to remote systems. The infostealer ecosystem has made credential acquisition trivially easy for attackers willing to pay.

Once inside via VPN, the attackers follow a standard playbook:

1. Pass-the-hash attacks to capture administrator credentials
2. RDP connections to Windows Servers running Hyper-V and Veeam
3. Credential stuffing for lateral movement across the environment
4. Backup destruction before ransomware deployment
5. Fog ransomware execution across accessible systems

Targeting Veeam backup servers early in the attack chain is deliberate. Destroying or encrypting backups eliminates the victim's primary recovery option, increasing ransom payment pressure.

Why Education

Schools make compelling targets for ransomware operators. Limited budgets mean small IT departments managing infrastructure that rivals mid-size businesses in complexity. Summer breaks and holidays create staffing gaps when attacks are less likely to be noticed immediately.

Kerri Shafer-Page, vice president of DFIR at Arctic Wolf, put it directly: "Education is often underfunded and understaffed when it comes to cyber. And when you think about summer vacations and the staffing model, they often have very small IT departments. It's a perfect opportunity for attackers."

The data schools hold adds to their attractiveness. Student records contain personal information useful for identity theft. Financial aid data includes Social Security numbers and banking details. Employee records provide additional personal data. This information has value beyond encryption leverage—attackers can sell it regardless of whether victims pay.

We've seen similar patterns with Aurora College in Canada, where a cyber attack forced class suspensions. Educational institutions face ransomware pressure globally.

Fog Ransomware Analysis

Fog operates as a ransomware variant rather than a distinct group with clear organizational structure. This distinction matters: the software's creators may be separate from the operators conducting attacks. Affiliate models are common in ransomware, where different teams handle development, initial access, and operations.

Early Fog campaigns focused purely on encryption without data exfiltration. More recent operations have adopted double extortion, stealing data before encryption and threatening to publish it if victims don't pay. The group now operates a data leak site for this purpose.

The evolution from encryption-only to double extortion follows a broader trend. Encryption alone has become less effective as organizations improve backup practices. Adding data theft creates leverage even when technical recovery is possible—the threat of public exposure or regulatory penalties motivates payment independent of operational disruption.

Defensive Recommendations

VPN security should be a priority:

1. Implement multi-factor authentication on all VPN connections
2. Monitor VPN logs for unusual access patterns (off-hours, unusual locations)
3. Use certificate-based authentication where possible
4. Regularly audit VPN user accounts and remove unnecessary access
5. Consider implementing zero trust network access as a VPN alternative

General ransomware preparedness:

1. Maintain offline backups that attackers can't reach through network access
2. Test backup restoration procedures regularly
3. Segment networks to limit lateral movement
4. Monitor for pass-the-hash and credential stuffing activity
5. Deploy endpoint detection and response across all systems

Credential hygiene:

1. Enforce unique passwords through policy and password managers
2. Monitor for compromised credentials in breach databases
3. Train staff to recognize phishing attempts
4. Implement privileged access management for administrative accounts

Educational institutions face real resource constraints. But basic controls—MFA on VPN, monitored backups, network segmentation—don't require enterprise budgets. The gap between current state and adequate protection is often smaller than IT teams fear, while the cost of ransomware recovery exceeds prevention investment by orders of magnitude.