Final month, Sophos X-Ops reported a number of MDR instances the place risk actors exploited a vulnerability in Veeam backup servers. We proceed to trace the actions of this risk cluster, which just lately included deployment of a brand new ransomware. The vulnerability, CVE-2024-40711, was used as a part of a risk exercise cluster we named STAC 5881. Assaults leveraged compromised VPN home equipment for entry and used the VEEAM vulnerability to create a brand new native administrator account named “level”.
Some instances on this cluster led to the deployment of Akira or Fog ransomware. Akira was first seen in 2023; its leak web site was offline briefly in October, however is again on-line and we proceed to see Akira assaults. Fog emerged earlier this 12 months, first seen in Might. In a latest case MDR analysts as soon as once more noticed the ways related to STAC 5881 – however this time noticed the deployment of a previously-undocumented ransomware referred to as “Frag”.
Much like the earlier occasions, the risk actor used a compromised VPN equipment for entry, leveraged the VEEAM vulnerability, and created a brand new account named ‘level’.
Nonetheless on this incident a ‘point2’ account was additionally created.
Frag is executed on the command line with a lot of parameters, with one required: proportion of file encryption. The attacker can specify directories or particular person recordsdata to encrypt.
When encrypted, recordsdata are given a .frag extension. On this case, the ransomware was blocked by Sophos endpoint safety’s CryptoGuard function. A detection for the ransomware binary has since been added.
The similarity within the ways, methods and practices of the actor behind Frag to these utilized by Akira and Fog risk actors has additionally been noticed by Agger Labs. Sophos X-Ops is intently monitoring this doable emergence of a brand new ransomware participant with behaviors beforehand seen in Akira ransomware. We are going to proceed to trace this risk conduct. We are going to replace this put up with extra technical particulars as they grow to be out there.
