Ransomware Attack on West Allis-West Milwaukee School District by Fog Group Exposes Data

Incident Date: Jul 16, 2024

Attack Overview
VICTIM
West Allis-West Milwaukee School District
INDUSTRY
Education
LOCATION
USA
ATTACKER
Fog
FIRST REPORTED
July 16, 2024

Ransomware Attack on West Allis-West Milwaukee School District by Fog Group

Overview of the West Allis-West Milwaukee School District

The West Allis-West Milwaukee School District (WAWM) serves the cities of West Allis and West Milwaukee in Wisconsin. The district is dedicated to providing high-quality education to its students, emphasizing community and equity. WAWM offers a comprehensive curriculum that includes core subjects, electives, and extracurricular activities. The district also provides various support services, such as mental health resources and food assistance, to ensure the success of every student. Under the leadership of Superintendent Tarrynce G. Robinson, WAWM is committed to creating a safe and inclusive learning environment.

Details of the Ransomware Attack

On July 17, 2024, the West Allis-West Milwaukee School District fell victim to a ransomware attack orchestrated by the Fog ransomware group. The attack resulted in a data leak of approximately 9.5GB, potentially exposing sensitive information. The district's website, wawm.k12.wi.us, was compromised during the attack. This incident highlights the increasing threat of cyberattacks on educational institutions and underscores the need for robust cybersecurity measures.

About the Fog Ransomware Group

Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is known for encrypting files and appending the extensions ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," urging victims to contact the attackers for file recovery. Fog ransomware has been particularly disruptive in the education sector, with 80% of its victims located in this industry. Attackers typically gain access to systems by exploiting compromised VPN credentials from two different vendors, allowing for remote infiltration.

Vulnerabilities and Penetration Methods

The Fog ransomware group distinguishes itself by its focus on the education sector and its method of exploiting compromised VPN credentials. Once inside a system, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult. The lack of a known decryptor for Fog ransomware means that paying the ransom does not guarantee file restoration. The operational structure of the Fog ransomware group remains unclear, with ongoing research aimed at understanding its deployment and impact.

Sources

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.