analyst@nohacky:~/threat-actors$
cat/threat-actors/fog-ransomware
analyst@nohacky:~/fog-ransomware.html
active threatprofile
typeRansomware
threat_levelHigh
statusActive
originUnknown — assessed Russian (closed RaaS)
last_updated2026-03-27
FG
fog-ransomware

Fog Ransomware

leak site: The Fog Blog file ext: .fog .ffog .flocked

Emerged April 2024 as an education-sector specialist built on compromised VPN credentials — 80 percent of early victims were US schools and universities. Fog distinguished itself by operational speed: the shortest observed time from initial access to full encryption was under two hours. Researchers note it as a variant rather than a group, separating encryptor developers from affiliate operators whose identities remain unknown. By mid-2024 Fog had expanded into finance, critical infrastructure, and healthcare. By 2025, affiliate attacks displayed APT-like tradecraft — two-week pre-encryption dwell time, employee surveillance software, Google Sheets as a C2 channel, and post-deployment persistence — raising documented concerns that ransomware may be serving as cover for espionage activity.

attributed originUnknown — Russian language assessed
operation modelClosed RaaS — affiliate structure, developer-separated
first observedApril 2024 (first IR cases: May 2, 2024)
primary motivationFinancial extortion — double extortion + possible espionage
primary targetsEducation, Finance, Healthcare, Manufacturing, Government
notable speedUnder 2 hours — initial access to full encryption
initial accessCompromised VPN credentials, CVE-2024-40766, CVE-2024-40711
target regionsUS (primary), Europe, Asia (2025)
threat levelHIGH — active and evolving

Overview

Fog ransomware was first identified by Arctic Wolf Labs in early May 2024, though the encryptor itself appears to have been operational from April 2024. It operates as a closed ransomware-as-a-service — meaning the encryptor's developers supply the payload to affiliate operators who conduct intrusions independently, but the affiliate network is not openly recruited or publicly advertised in the way open RaaS programs are. This developer-affiliate separation means that the observed attack behaviors may vary across affiliates while the encryptor and file extensions remain consistent.

What separated Fog from the crowded ransomware landscape at launch was operational speed. In cases investigated by Arctic Wolf, the entire attack chain — from VPN credential use to complete network encryption — was completed in as little as two hours. This speed was enabled by the VPN credential access method, which provided immediate, authenticated network access without any phishing, exploitation, or lateral movement required to reach a perimeter. Pass-the-hash attacks against administrator accounts rapidly escalated privileges, and the payload was then deployed across Hyper-V servers and Veeam backup infrastructure before defenders could detect or respond.

The group's initial targeting was geographically and sectorally focused: all early victims were located in the United States, with 80 percent operating in education and 20 percent in recreation. Researchers attributed this sector focus to the weaker security postures, under-resourced security teams, and high density of VPN-exposed remote access common in academic environments. The education sector also holds valuable personal data — student records, financial aid information, research data — that amplifies extortion pressure.

The trajectory from mid-2024 onward showed deliberate expansion. Affiliates pivoted into financial services by late 2024, exploiting the same playbook against higher-value targets. Exploitation of CVE-2024-40766 in SonicWall SSL VPNs was documented between August and November 2024, providing a vulnerability-based alternative to credential-stuffing when fresh credentials were not available. In October 2024, affiliates added CVE-2024-40711 — a CVSS 9.8 deserialization vulnerability in Veeam Backup & Replication servers — demonstrating a deliberate targeting of data protection infrastructure to undermine recovery.

In April 2025, affiliates shifted to email-based infection chains with PowerShell loader stages, and began inserting politically provocative content into ransom notes — mocking Elon Musk's DOGE initiative and, in one documented case, offering free decryption to victims who would spread the ransomware to another organization. This behavior deviated sharply from standard ransomware operational norms and attracted significant researcher attention. The most technically significant development came in May 2025, when Symantec documented a Fog-affiliated attack on an Asian financial institution that employed a two-week pre-encryption dwell period, employee monitoring software (Syteca) for on-screen surveillance, Google Sheets-based C2 via GC2, and post-ransomware persistence establishment — an unusual combination that led Symantec to assess the attack may have had espionage objectives with the ransomware serving as a decoy or secondary income stream.

Target Profile

Fog's targeting has expanded substantially since launch, from a narrow US education focus to a genuinely broad multi-sector, multi-geography operation. The consistent thread is exploitable remote access and high-value data.

  • Education (primary, 2024): Higher education institutions across the US were Fog's defining early target. Universities and colleges were selected for their dense VPN usage, large numbers of remote users with varied credential hygiene, under-resourced IT security teams, and the high sensitivity of student, staff, and research data. Approximately 80 percent of initial victims in Arctic Wolf's investigation were educational organizations. The University of Oklahoma was named as one notable documented victim.
  • Financial Services (2024–present): By late 2024, Fog affiliates had pivoted into banking and financial organizations with similar tactical playbooks — VPN credential compromise, rapid encryption, and double extortion leveraging financial records. A May 2025 attack on an unnamed Asian financial institution represented the most technically sophisticated Fog-affiliated intrusion documented to date.
  • Healthcare: Healthcare organizations appeared in Fog victim lists following the sector expansion in late 2024. HHS's Health Sector Cybersecurity Coordination Center (HC3) flagged Fog as a relevant threat to healthcare providers, noting the sensitivity of patient data as extortion leverage and the operational disruption risk from encryption of clinical systems.
  • Manufacturing and Technology: Fog's leak site victims span manufacturing, technology, automotive, food and beverage, pharmaceutical, and transportation sectors — consistent with the opportunistic post-education expansion pattern.
  • Government and Critical Infrastructure: Government entities, energy organizations, and telecommunications operators appeared among documented victims as the group broadened its targeting scope through 2024 and into 2025.
  • Geographic Distribution: The United States dominated early victim geography. By mid-2024, European organizations appeared regularly. The May 2025 Asian financial institution attack confirmed Fog affiliates were operating globally, with no geographic constraint apparent in recent campaigns.

Tactics, Techniques & Procedures

Fog's TTP set has evolved through three documented phases: credential-based rapid encryption (2024), vulnerability exploitation + CVE-based backup targeting (late 2024), and an APT-like dwell-and-surveil approach with unusual tooling (2025). The encryptor core remains consistent; operator sophistication varies by affiliate.

mitre idtechniquedescription
T1078.001 Valid Accounts — VPN Credentials The defining initial access method for Fog's early campaigns. Compromised VPN credentials — sourced from credential markets, prior breaches, or brute force — were used against two separate VPN gateway vendors to gain authenticated network access without triggering exploit detection. This method provided immediate, privileged network presence and enabled sub-two-hour encryption timelines.
T1190 Exploit Public-Facing Application CVE-2024-40766 (SonicWall SSL VPN, exploited August–November 2024) and CVE-2024-40711 (Veeam Backup & Replication, CVSS 9.8, exploited October 2024 onward) were added to the initial access toolkit. The Veeam vulnerability is particularly notable for targeting backup infrastructure specifically — compromising the systems organizations rely on for recovery before encryption begins.
T1075 Pass-the-Hash Once inside the network via VPN, operators performed pass-the-hash attacks against administrator accounts to rapidly escalate privileges. This provided immediate domain-level access without needing to crack passwords, and enabled lateral movement to Hyper-V servers and Veeam backup systems as priority targets before encryption.
T1021.001 Remote Services — RDP RDP connections to Windows Servers running Hyper-V and Veeam were established after pass-the-hash credential escalation. PsExec and SMBExec were used alongside RDP for lateral spread across the victim network, deploying the ransomware binary and associated cleanup scripts to additional hosts.
T1562.001 Disable Security Tools Windows Defender was disabled on compromised Windows servers before ransomware deployment. Multiple processes and services were terminated via Windows API calls. In the May 2025 attack, Syteca artifacts were actively deleted after the surveillance phase, indicating deliberate operational hygiene beyond standard ransomware cleanup.
T1486 Data Encrypted for Impact Fog encrypts files with symmetric encryption and a runtime-generated key that is asymmetrically protected. VMDK files in VM storage are specifically targeted for encryption, maximizing impact on virtualized environments. Files receive .fog, .ffog, or .flocked extensions. A file named DbgLog.sys is created in the execution directory containing debug output from the encryption process. Ransom notes (readme.txt) are dropped in all affected directories.
T1490 Inhibit System Recovery Shadow copies are deleted via "vssadmin.exe delete shadows /all /quiet" before encryption completes. Veeam object storage backups are specifically targeted and deleted — a deliberate attack on the backup systems that would otherwise enable recovery without paying the ransom.
T1567 Exfiltration — Double Extortion Data is archived using 7-Zip and/or WinRAR before encryption and transferred to external cloud storage. The group's data leak site — "The Fog Blog" — published victim data with countdown timers for non-paying organizations. In the May 2025 attack, MegaSync and FreeFileSync were used for exfiltration, providing additional transfer utility alongside 7-Zip staging.
T1071.001 Web Protocols — Cloud C2 (GC2) In the May 2025 attack, the Google Command and Control (GC2) open-source framework was used to communicate with compromised systems via Google Sheets and Microsoft SharePoint List as C2 channels, exfiltrating data via Google Drive and SharePoint documents. This technique routes malicious C2 traffic through trusted enterprise cloud services, blending with normal corporate traffic and evading domain-based network detection.
T1543.003 Windows Service — Post-Encryption Persistence In the May 2025 Asian financial institution attack, attackers created a Windows service to establish persistence several days after deploying the ransomware — highly unusual behavior for a ransomware operation. A Process Watchdog component ensured that backdoors like GC2 were automatically relaunched if terminated. This post-deployment persistence suggests operational objectives that extended beyond the immediate ransom collection.
under two hours — encryption speed warning

Fog's shortest documented time from initial VPN access to complete network encryption is under two hours. This window is insufficient for most organizations to detect, contain, and interrupt the attack using standard monitoring cadences. Defenders should assume that a Fog-affiliated intrusion via compromised VPN credentials will result in encryption before any human-reviewed alert reaches the response team unless automated detection and blocking is in place at the network layer.

Known Campaigns & Milestones

Key operational developments and notable attack incidents across Fog's documented operational history.

Initial Education Sector Wave — US April – May 2024

Arctic Wolf Labs identified Fog ransomware through multiple incident response cases beginning May 2, 2024. All victims were located in the United States, with 80 percent in education and 20 percent in recreation. All intrusions used compromised VPN credentials through two separate VPN gateway vendors. Pass-the-hash attacks against admin accounts provided rapid privilege escalation to Hyper-V and Veeam servers. Encryption times in multiple cases were under two hours from initial access. No exfiltration mechanisms were integrated in early binary samples — the initial model relied on encryption alone for extortion pressure. The last documented attack in the initial investigation was May 23, 2024.

Double Extortion and Leak Site Launch July 2024

Fog's data leak site — "The Fog Blog" — went live in July 2024, adding data publication threats to the encryption-only model used in initial campaigns. Kroll documented this shift in a Q2 2024 analysis, noting that exfiltration had been added to the attack chain and that victims could now face both encryption and public data exposure. Third-party cloud services and archiving tools (7-Zip, WinRAR) were used for staging and exfiltration.

SonicWall VPN Exploitation — CVE-2024-40766 August – November 2024

DFIR Report researchers documented open directory infrastructure linked to a Fog-affiliated operator containing sonic_scan.zip — a SonicWall credential scanning and exploitation toolkit. Attacks targeting CVE-2024-40766 in SonicWall SSL VPN appliances were observed between August and November 2024, providing a vulnerability-based alternative to pure credential stuffing for initial access when fresh credentials were unavailable. The affiliate toolkit also included DonPAPI, Certipy, Zer0dump, and Pachine/noPac for Active Directory exploitation.

Veeam Backup Server Exploitation — CVE-2024-40711 October 2024

Fog affiliates began exploiting CVE-2024-40711 — a CVSS 9.8 deserialization vulnerability in Veeam Backup & Replication Server Manager allowing unauthenticated remote code execution — patched by Veeam in September 2024. The deliberate targeting of backup infrastructure reflects a sophisticated understanding of organizational recovery dependencies: by compromising the backup system itself before deploying the ransomware, attackers eliminate the primary recovery path without requiring separate backup deletion commands.

DOGE-Themed Ransom Notes and Email Campaign April 2025

Incident responders documented a shift to email-based infection chains with multi-stage PowerShell loaders. Ransom notes in this campaign wave included politically provocative content mocking Elon Musk's Department of Government Efficiency (DOGE), with embedded political commentary and YouTube video launches during infection. One documented ransom note offered free decryption to victims who would spread the ransomware to another organization's network — an unusual social engineering technique that has no known precedent in documented ransomware operations. Custom PowerShell scripts (lootsubmit.ps1, trackerjacker.ps1) automated intelligence collection including Wi-Fi location data via the Wigle API.

Asian Financial Institution — Suspected Espionage May 2025

Symantec's Threat Hunter Team documented a Fog-affiliated attack on an unnamed Asian financial institution that represented the most technically sophisticated and behaviorally anomalous Fog intrusion on record. Attackers were present in the network for approximately two weeks before deploying the ransomware, infecting two Exchange servers. The toolset included Syteca (formerly Ekran, a legitimate employee monitoring software supporting screen recording and keystroke logging), the GC2 post-exploitation framework communicating via Google Sheets and SharePoint, the Adaptix C2 agent (an open-source Cobalt Strike alternative), the Stowaway proxy (used to deliver Syteca), and Process Watchdog to maintain GC2 persistence. PsExec and SMBExec handled lateral movement. MegaSync and FreeFileSync handled data exfiltration alongside 7-Zip. Several days after ransomware deployment, attackers created a Windows service to establish persistent access — highly unusual post-encryption behavior. Symantec assessed the unusual toolset, two-week dwell time, surveillance software, and post-deployment persistence as potentially indicating espionage objectives, with ransomware serving as a decoy or secondary revenue stream.

Tools & Malware

Fog's toolset has expanded substantially across its operational life, from a minimal credential-access and encryption model to a sophisticated multi-layer intrusion toolkit that increasingly resembles APT tradecraft.

  • Fog Encryptor (fog.exe / 1.exe): The core ransomware payload. Encrypts files using symmetric encryption with a runtime-generated key, protected via asymmetric encryption. Specifically targets VMDK files in VM storage. Appends .fog, .ffog, or .flocked extensions. Creates DbgLog.sys in the execution directory as a debug log. Drops readme.txt ransom notes in all affected directories. Executed with configurable flags. No exfiltration or persistence mechanisms are integrated in the binary itself — those functions are handled by affiliate-chosen tooling.
  • SonicWall Scanner (sonic_scan.zip): A Python-based credential scanning and exploitation tool found in a Fog-affiliated open directory. Reads IP addresses, usernames, passwords, and domain names from a structured data file, authenticates against SonicWall VPN appliances, and performs port scanning against successful authentications. Used for both credential validation and initial access in CVE-2024-40766 exploitation campaigns.
  • GC2 (Google Command and Control): An open-source post-exploitation framework that uses Google Sheets or Microsoft SharePoint List as its C2 channel and Google Drive or SharePoint documents for data exfiltration. Previously documented only in APT41 operations. First observed in a ransomware attack in the May 2025 Fog incident. Routes C2 traffic through trusted enterprise cloud services, evading domain-reputation-based network detection.
  • Syteca (formerly Ekran): A legitimate commercial employee monitoring application supporting screen recording, keystroke logging, and application monitoring. Deployed in the May 2025 attack via Stowaway proxy. Its presence in an attack chain has never before been documented in ransomware incidents. Assessed by Symantec as likely used for credential theft and intelligence gathering from active user sessions. Cleanup commands run post-use to erase deployment artifacts.
  • Adaptix C2: An open-source adversarial emulation framework with a C2 beacon agent. Described as functionally similar to Cobalt Strike. Deployed in the May 2025 attack alongside GC2 to provide robust remote control capability via a second C2 channel.
  • Stowaway: An open-source multi-hop proxy tool used to establish encrypted tunnels for C2 traffic concealment and to deliver the Syteca client executable to target systems.
  • Sliver C2: An open-source command-and-control framework documented in a December 2024 Fog-affiliated open directory (server at 194.48.154.79:80, port 31337), used for managing implants on compromised systems.
  • DonPAPI / Certipy / Zer0dump / Pachine / noPac: Credential and certificate theft tools found in the December 2024 open directory. DonPAPI extracts DPAPI-protected credentials from Windows; Certipy abuses Active Directory Certificate Services for privilege escalation; Zer0dump and Pachine/noPac exploit CVE-2020-1472 (Zerologon) for domain controller attacks.
  • AnyDesk / PsExec / SMBExec / NetExec: Remote management and lateral movement tools used across Fog campaigns. AnyDesk was deployed via PowerShell automation script in the December 2024 affiliate infrastructure. PsExec and SMBExec are consistent across all documented Fog affiliate intrusions for lateral movement and ransomware deployment.
  • MegaSync / FreeFileSync / 7-Zip / WinRAR: Data staging and exfiltration utilities. 7-Zip and WinRAR archive sensitive directories before transfer; MegaSync and FreeFileSync handle upload to external storage. Cloud service exfiltration via these tools blends data transfer with normal enterprise network activity.

Indicators of Compromise

Fog is an active threat. IOCs from the May 2025 Symantec report include confirmed hashes and infrastructure. Cross-reference with current threat intelligence feeds for the most recent affiliate infrastructure.

active and evolving

Fog is an active ransomware operation with confirmed 2025 campaigns. Infrastructure rotates between affiliate campaigns. Behavioral detection — particularly for VPN credential-based authentication from unfamiliar geolocations, pass-the-hash against admin accounts, and Veeam/Hyper-V server access patterns — is more reliable than static IOC blocking for this threat actor.

file indicators — fog ransomware
file ext.fog / .ffog / .flocked — encrypted file extensions
ransom notereadme.txt — dropped in all affected directories
debug logDbgLog.sys — created in execution directory during encryption
scriptslootsubmit.ps1 / trackerjacker.ps1 — intelligence gathering PowerShell scripts
scriptany.ps1 — AnyDesk automated deployment script (Dec 2024 affiliate)
exploitCVE-2024-40766 — SonicWall SSL VPN (Aug–Nov 2024 campaigns)
exploitCVE-2024-40711 — Veeam Backup & Replication RCE, CVSS 9.8 (Oct 2024+)
exploitCVE-2020-1472 — Zerologon (Pachine/noPac, Dec 2024 affiliate)
infrastructure — may 2025 attack (symantec)
ip66.112.216[.]232
ip97.64.81[.]119
domainamanda[.]protoflint[.]com
syteca filessytecaclient.exe / udpate.exe (note: misspelling intentional in filename)
behavioral indicators
behaviorVPN authentication from unfamiliar geolocations or IPs at unusual hours
behaviorPass-the-hash activity targeting administrator accounts immediately post-VPN auth
behaviorRDP connections to Hyper-V and Veeam servers from newly authenticated accounts
behaviorVeeam object storage backup deletion preceding encryption
behaviorGC2 traffic to Google Sheets / SharePoint from internal hosts (legitimate-domain C2)
behaviorSyteca / Ekran client installed on non-IT systems
behaviorMegaSync or FreeFileSync executing with large outbound data volumes
behaviorNew Windows service created days after ransomware deployment (post-encryption persistence)

Mitigation & Defense

Fog's defining characteristic — sub-two-hour encryption enabled by VPN credential compromise — requires defenses that operate at machine speed, not analyst speed. The 2025 APT-like campaign evolution adds surveillance and persistence concerns on top of the encryption threat.

  • Enforce MFA on all VPN and remote access entry points: Fog's entire early attack model depended on compromised credentials alone being sufficient to authenticate to the network. MFA eliminates this class of initial access completely. All VPN gateways, RDP portals, and remote access endpoints should require a second factor regardless of network location of the authenticating device.
  • Patch CVE-2024-40766 (SonicWall) and CVE-2024-40711 (Veeam) immediately: Both vulnerabilities were exploited by Fog affiliates within weeks of becoming known. Any SonicWall SSL VPN appliance and any Veeam Backup & Replication Server running an unpatched version is directly exposed to Fog affiliate exploitation. Verify patch status now.
  • Isolate backup infrastructure on a separate network segment: Fog affiliates specifically targeted Veeam servers for both exploitation and backup deletion. Backup systems should not be reachable from general corporate network segments, even by authenticated administrator accounts. Out-of-band backup management access requiring separate authentication is the appropriate control model.
  • Deploy automated alerting on pass-the-hash against administrator accounts: Given Fog's sub-two-hour timeline, human-reviewed alerts are unlikely to produce response before encryption completes. Automated blocking triggered by pass-the-hash against admin accounts from unexpected source systems provides the detection window required. Tools like Microsoft Defender for Identity (formerly ATA) detect this behavior natively.
  • Monitor for unauthorized Syteca/Ekran installation and GC2 traffic patterns: The May 2025 attack introduced Syteca as a surveillance tool. Any installation of employee monitoring software outside normal IT provisioning processes should generate an alert. GC2 traffic via Google Sheets is harder to detect at the URL level but can be identified through behavioral analysis of unusual Google API traffic volumes and access patterns from internal hosts that do not normally access Google Workspace.
  • Alert on new Windows services created post-encryption: Fog's post-deployment persistence behavior is documented but unusual. EDR solutions monitoring service creation after a ransomware incident should flag any new service registrations that occur in the period following encryption — this is a signal that the threat actor intends to maintain access to the environment.
  • Review VPN access logs for geographic anomalies: Fog affiliates authenticate from VPN addresses and hosting providers inconsistent with an organization's user geography. Automated alerts on VPN logins from unusual countries or IP ranges — particularly outside business hours — provide early warning of credential-based intrusion before lateral movement begins.
analyst note — espionage boundary blurring

The May 2025 Asian financial institution attack represents a documented instance of what researchers have called the "blurring of lines between cybercrime and cyber espionage." The use of GC2 — previously linked exclusively to the Chinese state-sponsored group APT41 — alongside employee monitoring software and post-ransomware persistence led Symantec to assess that espionage may have been the primary objective. Whether Fog affiliates are independently adopting APT tradecraft, or whether the group has begun attracting operators with nation-state backgrounds, is unresolved. Organizations targeted by Fog should treat post-incident forensics as potentially revealing deeper, longer-term compromise than the visible encryption event suggests.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile