In the final month, cybersecurity researchers at Sophos X-Ops revealed that threat actors had successfully exploited a vulnerability in Veeam backup servers. As we delve into the sequence of events surrounding this risk cluster, our focus shifts to the recent deployment of a newly emerged ransomware strain.
Several instances on this cluster ultimately resulted in the execution of Akira or Fog ransomware deployments. Akira, initially spotted in 2023, has seemingly gone dormant since mid-October, with its data leak website currently unavailable. Fog appeared earlier this year, initially spotted in May. Recently, MDR analysts detected a new iteration of STAC 5881 tactics, with an additional finding: the deployment of previously unknown “Frag” ransomware.
A sophisticated threat actor exploited a compromised VPN gateway to gain initial access, subsequently leveraging the VEEAM flaw to establish further footholds before creating a new account dubbed “level”.
Despite this incident, an additional ‘point2’ account was set up nonetheless.
Frag, when run from the command line, requires a single essential parameter: the proportion of file encryption to be applied. The attacker can selectively designate directories or individual file records to undergo encryption.
When records data are encrypted, they are assigned a .frag extension. The ransomware attack was successfully thwarted by Sophos’ Endpoint Security’s CryptoGuard functionality. A detection for the ransomware’s binary has subsequently been incorporated.
As cyber experts have observed, the tactics employed by the actor responsible for Frag mirror those previously utilized by Akira and Fog risk actors. Sophos X-Ops is closely tracking the potential emergence of this novel ransomware player, which exhibits behavior reminiscent of Akira ransomware. Let’s thoroughly investigate this risk behavior. As new technical details become available, we will update this submission accordingly.
