Ransomware Attack on City of Cold Lake by Fog Group

Overview of the City of Cold Lake

The City of Cold Lake, located in east-central Alberta, Canada, is a vibrant community known for its strong military presence and rich recreational opportunities. The city is home to the Canadian Forces Base Cold Lake, one of the largest air bases in Canada, which significantly contributes to the local economy. Cold Lake also benefits from oil and gas exploration, particularly in the nearby Athabasca Oil Sands.

Details of the Ransomware Attack

On July 23, 2024, the City of Cold Lake experienced a ransomware attack orchestrated by the threat actor group known as Fog. The attack resulted in the encryption of files and backups across multiple servers, leading the city to shut down its systems to protect data integrity and assess the extent of the damage. Approximately 10GB of data were reportedly exfiltrated. The city's IT Department swiftly isolated the affected systems to prevent further damage, ensuring that key infrastructure, including water treatment and waste management, remained secure and operational.

The cyberattack disrupted phone, email, and payment systems across several city facilities, forcing many operations to revert to manual processes. Despite these disruptions, essential services continued to function, and city facilities remained open with modified services. Off-site backup systems provided some security, although rebuilding certain systems, such as Microsoft, was necessary. By July 25, recovery efforts were underway, with some servers brought back online in isolated environments to ensure stability. Phone lines were re-established at key locations, albeit with limited capacity.

About the Fog Ransomware Group

Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is known for encrypting files and appending the extensions ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," informing victims that their files have been encrypted and urging them to contact the attackers for file recovery.

Fog ransomware has been particularly disruptive, with a significant focus on the education sector and the recreation industry. Attackers typically gain access to systems by exploiting compromised VPN credentials from two different vendors, allowing for remote infiltration. Once inside, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult.

Vulnerabilities and Impact

The City of Cold Lake, as a municipal corporation, operates various critical services, making it a prime target for ransomware attacks. The city's reliance on digital infrastructure for essential services such as water treatment, waste management, and public safety systems presents vulnerabilities that threat actors can exploit. The attack on Cold Lake underscores the importance of robust cybersecurity measures to protect municipal operations and sensitive data.

Sources

• City of Cold Lake - Celebrations and Events
• Wikipedia - Cold Lake, Alberta
• PCRisk - Fog Ransomware
• BeforeCrypt - Fog Ransomware
• Security Magazine - Fog Ransomware