A new ransomware named “Frag” emerges with the exploit of VEEAM vulnerability

Recent reports from Sophos X-Ops highlighted multiple MDR incidents involving the exploitation of a vulnerability found in Veeam backup servers. Ongoing monitoring of this threat cluster uncovered the deployment of a fresh ransomware variant. The identified vulnerability, known as CVE-2024-40711, was utilized in conjunction with a threat operation named STAC 5881. In these attacks, compromised VPN appliances were leveraged for access, with the VEEAM vulnerability being exploited to establish a new local administrator account called “point”.

Instances within this cluster featured the use of Akira or Fog ransomware. Akira, initially detected in 2023, has been inactive since mid-October, with its information disclosure site currently offline. Fog, on the other hand, surfaced earlier this year, with a recent case involving the deployment of a previously unreported ransomware titled “Frag” observed by MDR analysts.

The threat actor’s approach mirrored previous events by using compromised VPN appliances, exploiting the VEEAM vulnerability, and establishing a new account named ‘point’.
However, in this incident, an additional account named ‘point2’ was created.

Frag is executed through the command line with several parameters, with the encryption percentage being mandatory. The attacker has the option to specify directories or individual files for encryption.

When a file is encrypted, it receives a .frag extension. Sophos endpoint protection successfully thwarted this ransomware through its CryptoGuard feature. Moreover, a detection mechanism for the ransomware binary has been implemented since.

Agger Labs has also noted similarities in the tactics utilized by the Frag actor compared to those associated with Akira and Fog ransomware. Sophos X-Ops remains vigilant in monitoring this potential emergence of a new ransomware actor exhibiting characteristics seen in the Akira variant. Continuous monitoring of this threat activity will be conducted, with updates on technical details provided as they unfold.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts