As cyber extortion tactics continue to evolve, a new player has emerged from the shadows, FOG Ransomware, a stealthy and destructive threat that blends traditional encryption with aggressive data-leak strategies. First identified in early 2024, Fog has been observed targeting both Windows and Linux Systems, with a particular focus on organizations in the U.S education sector.
What sets Fog apart is its multi-pronged extortion model: it not only does encrypt valuable data, but it also exfiltrates files and threatens public exposure via a TOR-based leak site if victims refuse to comply. Using compromised VPN credentials as a primary point of entry, Fog ransomware underscores the urgent need for robust access controls and proactive threat detection in today's volatile cybersecurity landscape.
Targeted Industries: Education, Manufacturing, Travel, Automotive, Food & Beverage, Pharmaceutical, Transportation, Finance, Healthcare, Telecommunications, Energy, Real Estate, Retail, Utilities, Insurance, Construction, Government and Agriculture
Targeted Countries: United States, Oman, Netherlands, Australia, Belgium, Georgia, Italy, India, Ireland, Sweden and Singapore.
Technical Analysis
Initial Access
Fog Ransomware operators commonly gain a foothold in target networks through the use of compromised credentials, often acquired from Initial Access Brokers (IABs) who specialize in selling unauthorized entry points to threat actors. In many observed cases, attackers have leveraged valid VPN or user login credentials, enabling them to bypass perimeter defenses and blend in with legitimate traffic.
Beyond credential-based access, Fog actors may also exploit public-facing application vulnerabilities, weak Remote Desktop Protocol (RDP) settings, or deliver phishing emails to unsuspecting users. Once inside, the attackers quickly move to establish persistence, laying the groundwork for deeper infiltration and eventual data encryption.
Persistence
To maintain long-term access within compromised environments, Fog Ransomware employs a range of persistence techniques tailored for stealth and resilience. On Windows systems, attackers frequently establish Remote Desktop Protocol (RDP) connection, either by leveraging valid credentials or by creating new user accounts specifically for ongoing access.
Persistence is further reinforced through system configuration changes, such as modifying registry entries, setting up scheduled tasks, or executing PowerShell scripts, all designed to automatically reinitiate malicious processes even after a system reboot. Apart from this, Fog operators have been observed deploying tools like FileZilla for data transfer and using reverse SSH shells or remote access utilities such as MobaXterm to establish reliable backdoors.
Privilege Escalation
Once inside a compromised network, Fog Ransomware operators focus on gaining elevated privileges to expand their control. They employ techniques such as pass-the-hash attacks targeting administrator accounts and brute-force attempts on user credentials to break through access restrictions. Tools like custom PowerShell scripts, Mimikatz, and LSASS memory dumping are commonly used to harvest credentials from memory or extract sensitive data from sources like web browsers and the NTDS.dit file. By exploiting these methods and occasionally leveraging unpatched system vulnerabilities, attackers are able to escalate their access to administrative levels.
With this elevated access, Fog operators move laterally through the network, systematically hunting for critical assets such as file servers, backup repositories, and high-value endpoints to maximize the impact of their eventual encryption and extortion efforts.
Defense Evasion
To operate undetected within compromised systems, Fog ransomware employs a series of defense evasion strategies designed to neutralize security tools and reduce its visibility. On Windows servers, attackers begin by disabling Windows Defender and other key security-related processes and services, effectively dismantling built-in protection mechanisms. Utilizing Windows API calls, the malware collects detailed system information to identify active defenses and pinpoint specific services to terminate. This proactive approach allows Fog to bypass many common detection methods, clearing the path for successful payload deployment without interference from antivirus or endpoint protection solutions.
Data Exfiltration
Before initiating the file encryption stage, Fog Ransomware operators engage in data exfiltration to strengthen their extortion tactics. Once embedded in a network, the malware systematically identifies and collects sensitive information, including financial documents, customer records, personal data, and proprietary business files. To extract this data, attackers utilize common compression tools like 7-Zip and WinRAR, bundling the files for efficient transfer. They then upload the stolen content to attacker-controlled servers or route it through third-party cloud services to avoid detection. This exfiltrated data becomes a key pressure point, victims not only risk data loss from encryption but also public exposure or resale of stolen information if they refuse to meet the ransom demands.
Ransomware Execution
Fog Ransomware begins its attack by scanning for accessible drives across the infected system. It uses the Windows APIs FindFirstFileW and FindNextFileW to recursively identify and load files for encryption.
Each targeted file is encrypted using a randomly generated AES key. To secure this key, Fog then encrypts it using an embedded public RSA key. Interestingly, the AES key which is now RSA encrypted, is appended to the end of each encrypted file, possibly aiding in decryption if ransom is paid.
The ransomware modifies filenames with distinct extensions such as
- .FOG
- .FLOCKED
- .FFOG
During execution, Fog generates a file named DbgLog.sys within the same directory to log its activity. If launched with the -log argument, it additionally creates a lock_log.txt file in the C:\ProgramData directory though this log is oddly encrypted by the ransomware itself, suggesting possible missteps or that the malware is still undergoing development.
Upon successful encryption, the ransomware plants ransom instructions in files titled readme.txt, commonly placed alongside affected data to guide victims on how to make payments.
Ransom Note
Upon successful encryption, the ransomware plants ransom instructions in files titled readme.txt, commonly placed alongside affected data to guide victims on how to make payments. This double-extortion tactic ramps up pressure by threatening:
- Regulatory violations
- Reputational damage
- Legal consequences
Once the encryption process is complete, Fog Ransomware drops a ransom note typically named readme.txt on the infected system. This file outlines the attacker's demands and serves as the primary communication channel between the threat actors and the victim. The note generally includes:
- Clear directions on how victims can get in touch with the attackers, often via encrypted email or secure messaging platforms.
- The amount of ransom requested, usually specified in cryptocurrency (such as Bitcoing or Monero) along with a deadline for payment to avoid further consequences.
- A warning that stolen data will be publicly leaked if payment is not made within the stated timeframe. Victims are pointed to a TOR-based Data Leak Site (DLS), where attackers may publish samples of stolen data and threaten to escalate leaks over time.
In some observed cases, the threat actors behind Fog ransomware have engaged in direct communication with victims, adjusting ransom amounts based on the organization's size, sector or perceived ability to pay demonstrating a calculated and targeted extortion model.
Fog Ransomware techniques mapped to MITRE ATT&CK
Known Vulnerabilities Exploited by Fog Ransomware
- CVE-2024-40766
Improper Access Control Vulnerability in the SonicWall SonicOS that could lead to unauthorized resource access and under certain conditions, may cause the firewall to crash.
- CVE-2024-40711
A Deserialization Vulnerability in Veeam Backup and Replication enables an unauthenticated user to perform remote code execution.
Tools used by Fog Ransomware
Threat actors often rely on diverse toolkits to carry out different stages of an attack - from initial access and lateral movement to data exfiltration and persistence. Below is a breakdown of some observed tools and their usage by Fog Ransomware operators:
Recommendations to defend against Fog Ransomware attacks
As Fog Ransomware operators continue to exploit known vulnerabilities and deploy advanced encryption techniques, organizations must strengthen their defenses with a multi-layered approach. The following best practices are crucial in reducing exposure and enhancing resilience:
- Enforce Multi-factor Authentication (MFA)
Require MFA for all remote and VPN access points. This adds an essential layer of defense against credential-based attacks, which are commonly used by Fog Ransomware actors. - Keep VPN software fully patched
Regularly update all VPN solutions and related infrastructure to close known security gaps. Fog has been seen exploiting unpatched VPN vulnerabilities to gain initial access. - Continuously Monitor VPN access logs
Deploy threat monitoring tools that flag anomalous login behavior, including access from unexpected geographies or at odd hours both potential indicators of compromise. - Isolate Compromised Endpoints Immediately
Use automated response tools to instantly isolate infected machines upon detecting ransomware behavior, preventing further lateral spread within the network. - Deploy a unified security platform
Invest in a comprehensive threat detection and response solution that provides real-time analytics and rapid remediation capabilities across endpoints. - Restrict use of administrative tools
Disable tools like PowerShell and WMIC unless explicitly required. These utilities are frequently abused during ransomware deployment stages. - Implement Regular Offline Backups
Maintain secure, immutable backups stored offline. Fog ransomware threatens data loss and extortion; reliable backups ensure rapid recovery without ransom payment. - Apply least privilege access principles
Limit administrative rights and access to sensitive systems to only those who absolutely need it. Reducing privileges reduces the damage potential in case of compromise. - Conduct periodic security audits
Regularly review configurations, patch levels, and system activity to uncover hidden vulnerabilities before attackers do. - Establish and test incident response plans
Prepare for ransomware scenarios by building detailed response playbooks. Simulate attacks to ensure your teams can detect, contain, and recover swiftly. - Use network traffic analytics for threat detection
Monitor internal traffic patterns for signs of reconnaissance or lateral movement common tactics used by Fog operators to spread across networks.
Sources Cited:
- https://www.darktrace.com/blog/lifting-the-fog-darktraces-investigation-into-fog-ransomware
- https://www.sentinelone.com/anthology/fog/
- https://www.trendmicro.com/en_us/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html
- https://www.kaspersky.co.in/blog/fog-reveals-victims-ip/28685/
- https://www.kroll.com/en/insights/publications/cyber/fog-ransomware-targets-higher-education
- https://redpiranha.net/news/fog-ransomware-everything-you-need-know
- https://socradar.io/dark-web-profile-fog-ransomware/
- https://areteir.com/static/0dbe6c7ad139da595365e608aa53f2a3/FOG_Ransomware.pdf
- https://www.darkreading.com/cyberattacks-data-breaches/fog-hackers-doge-ransom-notes
- https://adlumin.com/post/fog-ransomware-now-targeting-the-financial-sector/
- https://arcticwolf.com/resources/blog/arctic-wolf-labs-observes-increased-fog-and-akira-ransomware-activity-linked-to-sonicwall-ssl-vpn/
- https://adarma.com/understanding-fog-ransomware/
- https://areteir.com/article/malware-spotlight-fog-ransomware-technical-analysis/
- https://www.mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/june-7-2-the-fog-ransomeware.pdf
About Loginsoft
For over 20 years, leading companies in Telecom, Cybersecurity, Healthcare, Banking, New Media, and more have come to rely on Loginsoft as a trusted resource for technology talent. From startups, to product and enterprises rely on our services. Whether Onsite, Offsite, or Offshore, we deliver. With a track record of successful partnerships with leading technology companies globally, and specifically in the past 6 years with Cybersecurity product companies, Loginsoft offers a comprehensive range of security offerings, including Software Supply Chain, Vulnerability Management, Threat Intelligence, Cloud Security, Cybersecurity Platform Integrations, creating content packs for Cloud SIEM, Logs onboarding and more. Our commitment to innovation and expertise has positioned us as a trusted player in the cybersecurity space. Loginsoft continues to provide traditional IT services which include Software development & Support, QA automation, Data Science & AI, etc.
Expertise in Integrations with Threat Intelligence and Security Products: Built more than 250+ integrations with leading TIP, SIEM, SOAR, and Ticketing Platforms such as Cortex XSOAR, Anomali, ThreatQ, Splunk, IBM QRadar & Resilient, Microsoft Azure Sentinel, ServiceNow, Swimlane, Siemplify, MISP, Maltego, Cryptocurrency Digital Exchange Platforms, CISCO, Datadog, Symantec, Carbonblack, F5, Fortinet, and so on. Loginsoft is a partner with industry leading technology vendors Palo Alto, Splunk, Elastic, IBM Security, etc.
In addition, Loginsoft offers Research as a service: We're more than just experts in cybersecurity; we're your accredited in-house research team focused on unraveling the complexities of cybersecurity and future technologies. From Application Security to Threat Research, our seasoned professionals have cultivated expertise in every facet of the field. We've earned the trust of over 20 security platform companies, who count on our research and analysis to strengthen their cybersecurity solutions.
Interested to learn more? Let’s start a conversation.
