Ransomware Attack on Geelong Lutheran College by Fog Group Results in 4GB Data Leak
Incident Date:
July 16, 2024
Overview
Title
Ransomware Attack on Geelong Lutheran College by Fog Group Results in 4GB Data Leak
Victim
Geelong Lutheran College
Attacker
Fog
Location
First Reported
July 16, 2024
Ransomware Attack on Geelong Lutheran College by Fog Ransomware Group
Overview of Geelong Lutheran College
Geelong Lutheran College (GLC), located in Newtown, Victoria, is a prominent educational institution under the Lutheran Church of Australia. Established in 1962, the college provides primary and secondary education from Foundation to Year 12. GLC is recognized for its commitment to delivering high-quality education within a caring, supportive, and Christ-centered environment. The college employs approximately 143 staff members and generates an estimated revenue of $18.9 million annually. GLC stands out in the education sector for its holistic approach to student development, offering a wide range of academic subjects and co-curricular activities.
Details of the Ransomware Attack
On July 17, 2024, Geelong Lutheran College fell victim to a ransomware attack orchestrated by the Fog ransomware group. The attack targeted the college's domain, glc.vic.edu.au, resulting in a data leak of approximately 4GB. The compromised data potentially includes sensitive information related to the institution and its stakeholders. The attack was publicly claimed by Fog on their dark web leak site, highlighting the college's vulnerabilities in cybersecurity.
About Fog Ransomware Group
Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is notorious for encrypting files and appending extensions such as ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," urging victims to contact the attackers for file recovery. Fog ransomware has been particularly disruptive in the education sector, with 80% of its victims located in this field. The group typically gains access to systems by exploiting compromised VPN credentials, allowing for remote infiltration.
Penetration and Impact
The Fog ransomware group distinguishes itself by its focus on the education sector and its sophisticated methods of infiltration. Attackers often exploit compromised VPN credentials from different vendors to gain remote access to systems. Once inside, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult. Currently, there is no known decryptor available for Fog ransomware, and paying the ransom does not guarantee file restoration.
Sources
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.