Pennsylvania food bank claimed as latest ransomware victim


A major Pennsylvania food bank, working in tandem with over a thousand other state agencies and nonprofit programs, was claimed by the Fog ransomware group on Tuesday.

The Central Pennsylvania Food Bank was posted on the Fog group’s dark leak blog, along with claims the gang has stolen more than 20 GB of files from the 501C humanitarian aid organization.

Turning towards a local food bank in hopes of a payout can be considered a new low when it comes to the non-profit sector.

ADVERTISEMENT

Based in both Harrisburg and Williamsport, the food bank supports over 27 counties in the Keystone State, serving more than 250,000 in-need persons each month, including children, veterans, active duty military personnel, seniors, and more.

“No one should be hungry and no one should breach those helping the needy,” said cybersecurity researcher Dominic Alvieri, who posted about the claim on X Tuesday.

The organization partners with more than 1,130 agencies and aid programs including food pantries, soup kitchens, and emergency food providers, according to its website.

The food bank's website also shows a private login portal for employees, which as of 2022, includes close to 8,000 volunteers, providing a treasure trove of personal information stored in its networks for the cyber crooks to hold ransom.

The ransomware group, listing the PA food bank’s revenue at over $50,000,000, claims to have exfiltrated files in categories, such as client agreements, accounting, and human resources.

Fog further claims it possesses “juicy files and information,” including social security numbers, passports, and driver’s licenses, although no samples were posted on its blog.

ADVERTISEMENT
PA food bank Fog ransomware
Fog leak site

To note, the non-profit’s website appeared to be loading normally as of Tuesday afternoon local time. Cybernews has reached out to the food bank and is awaiting a response.

Who is Fog ransomware?

The Fog ransomware variant was first acknowledged in the wild barely six months ago. It targets mostly victims in the education sector, although some researchers say the variant has been around since late 2021.

“All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector,” according to a June research report by Artic Wolf.

Arctic Wolf researchers said they were hesitant to assign the ransomware to any specific group at the time, claiming the variant was the common factor in all attacks, assumed to be used by random ransomware affiliate groups across the board.

PA food bank Fog ransomware 2
Fog leak site

But by September, along with an official dark leak page, it appears a fledgling group has been organized under one roof to take credit for ransomware attacks carried out with the Fog variant, which exists for both Windows and Linux platforms.

Fog is known to infiltrate its targets by exploiting compromised VPNs and other privileged credentials. It often takes advantage of institutions with less-than-robust cybersecurity measures, as is common in the non-profit sector.

In September, researchers at Dark Trace witnessed the threat actors working at an “alarming speed” – in some cases taking just two hours to encrypt its victim's files after gaining initial access to that victim’s system, it said.

ADVERTISEMENT

Once inside, the double extortionists were observed using remote access tools to establish Control and Command (C2)communications and freely move laterally through a victim’s network to probe deeper access points and scan for sensitive files, the Dark Trace report stated.

The group was also found to have successfully exfiltrated victim data to an external storage source.

Fog ransom note
Image by Cybernews | Dark Trace

Dark Trace provides a copy of a packet capture (PCAP) of the ransom note file titled “readme.txt” identifying the group and providing instructions with a Tor browser link on contacting the ransom operators and presumably paying its ransom demand.

..”.If you are reading this, then you have been the victim of a cyber attack. We call ourselves Fog, and we take responsibility for this incident. We are the ones who encrypted your data and also copied some of it to our internal resources. The sooner you contact us, the sooner we can resolve this incident and get you back to work…We are waiting for you,” the note reads.

Although the group has been steadily carrying out ransomware attacks since May, its dark leak blog only shows 10 victims, including the food bank, with the first victim listed on August 6th, leading Cybernews to believe the leak site was recently launched by the newly formed cartel.

Thought to be a strain derived from the STOP/DJVU ransomware family, the Fog group is of unknown origin, with some research citing possible ties to Eastern Europe.

ADVERTISEMENT