Fog Ransomware Attack Chain Leverages Legitimate and Open-Source Tools

Researchers recently observed an atypical toolset used in a Fog ransomware attack against a financial institution in Asia. Although the initial infection vector remains unknown, the attackers deployed a variety of rarely seen tools, blending legitimate software and open-source utilities to evade detection and maintain persistence, Bleeping Computer reports.

One of the most unusual components was Syteca, a legitimate employee monitoring tool that records screen activity and keystrokes. Attackers used it to silently capture credentials and other sensitive information entered by employees. Syteca was delivered via Stowaway, an open-source proxy tool, and executed using SMBExec, a lateral movement tool from the Impacket framework.

The attackers also leveraged GC2, an open-source post-exploitation backdoor that uses Google Sheets or Microsoft SharePoint for command-and-control and data exfiltration—an uncommon choice in ransomware operations. Additional tools included Adapt2x C2, a post-exploitation alternative to Cobalt Strike; Process Watchdog, a utility to restart processes; PsExec for remote execution; and Impacket’s SMB library, likely used to deploy the ransomware payload.

To stage and transfer stolen data, the attackers employed 7-Zip, MegaSync, and FreeFileSync. The combination of tools—particularly Syteca and GC2—represents a significant deviation from typical ransomware attacks. Researchers noted that using such an unusual blend of utilities can help attackers bypass traditional detection mechanisms. Their findings also included indicators of compromise to assist defenders in recognizing and responding to similar threats.

Takeaway: According to the Power Rankings: Ransomware Malicious Quartile report, Fog ransomware, first identified in May 2024, is a highly disruptive Windows-based threat and a variant of the STOP/DJVU ransomware family. It has gained notoriety for its strategic sophistication, aggressive lateral movement, and effective privilege escalation techniques, including the use of pass-the-hash attacks and tools like PsExec.

Initial access is often obtained via compromised VPN credentials, and in some cases, through exploited vulnerabilities in VPN gateways, such as those affecting SonicWall appliances. Once inside a network, Fog disables Windows Defender, deletes Volume Shadow Copies (VSS), and removes Veeam backups—crippling most traditional recovery options.  

The ransomware then uses tools like Cobalt Strike and Mimikatz to escalate privileges, extract browser credentials, and dump NTDS.dit from Active Directory. For lateral movement, operators rely on PsExec and Remote Desktop Protocol (RDP), enabling rapid spread across victim environments.

Fog encrypts files using AES-256, with the AES keys further encrypted using RSA-2048. Affected files are typically appended with extensions like “.FOG” or “.FLOCKED,” and victims find ransom notes titled "readme.txt" or "HELP_YOUR_FILES.HTML" containing contact instructions. While the group initially avoided data theft, by July 2024, it adopted double extortion tactics, threatening to leak stolen data if ransoms were not paid.

Though tools like Metasploit may be used, Fog activity is more closely tied to custom scripts and living-off-the-land techniques. It has also reportedly targeted virtualized environments by encrypting VMDK files, although this has not been consistently observed.

Fog does not appear to operate as a Ransomware-as-a-Service (RaaS) and instead follows a closed, centralized model with a core team managing all aspects of the attack. Its primary targets include organizations in education, business services, technology, manufacturing, finance, and government.  

Initially focused on U.S. higher education, the group has since expanded globally, with ransom demands ranging from $50,000 to several million dollars depending on the size and profile of the victim. By early 2025, Fog had become a significant contributor to the global ransomware landscape.

The discovery of Fog ransomware leveraging an atypical combination of legitimate and open-source tools reinforces its position as one of the more advanced and adaptive threats in the current ransomware landscape. While its core tactics—like credential theft, lateral movement via PsExec and RDP, and recovery sabotage—remain consistent, the integration of tools like Syteca, GC2, and Stowaway marks a clear evolution in its tradecraft.  

These additions suggest Fog’s operators are actively refining their methods to increase stealth, expand persistence, and complicate detection and response. As the group continues to blend custom scripts with publicly available utilities, defenders must prepare for increasingly complex attack chains that blur the line between traditional ransomware and advanced persistent threats.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.