Ransomware Attack on West Allis-West Milwaukee School District by Fog Group Exposes Data

Incident Date:

July 16, 2024

World map

Overview

Title

Ransomware Attack on West Allis-West Milwaukee School District by Fog Group Exposes Data

Victim

West Allis-West Milwaukee School District

Attacker

Fog

Location

West Allis, USA

Wisconsin, USA

First Reported

July 16, 2024

Ransomware Attack on West Allis-West Milwaukee School District by Fog Group

Overview of the West Allis-West Milwaukee School District

The West Allis-West Milwaukee School District (WAWM) serves the cities of West Allis and West Milwaukee in Wisconsin. The district is dedicated to providing high-quality education to its students, emphasizing community and equity. WAWM offers a comprehensive curriculum that includes core subjects, electives, and extracurricular activities. The district also provides various support services, such as mental health resources and food assistance, to ensure the success of every student. Under the leadership of Superintendent Tarrynce G. Robinson, WAWM is committed to creating a safe and inclusive learning environment.

Details of the Ransomware Attack

On July 17, 2024, the West Allis-West Milwaukee School District fell victim to a ransomware attack orchestrated by the Fog ransomware group. The attack resulted in a data leak of approximately 9.5GB, potentially exposing sensitive information. The district's website, wawm.k12.wi.us, was compromised during the attack. This incident highlights the increasing threat of cyberattacks on educational institutions and underscores the need for robust cybersecurity measures.

About the Fog Ransomware Group

Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is known for encrypting files and appending the extensions ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," urging victims to contact the attackers for file recovery. Fog ransomware has been particularly disruptive in the education sector, with 80% of its victims located in this industry. Attackers typically gain access to systems by exploiting compromised VPN credentials from two different vendors, allowing for remote infiltration.

Vulnerabilities and Penetration Methods

The Fog ransomware group distinguishes itself by its focus on the education sector and its method of exploiting compromised VPN credentials. Once inside a system, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult. The lack of a known decryptor for Fog ransomware means that paying the ransom does not guarantee file restoration. The operational structure of the Fog ransomware group remains unclear, with ongoing research aimed at understanding its deployment and impact.

Sources

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.