THREAT ACTOR

Fog

6.7
THREAT LEVEL
EMERGENCE DATE
May 2024
CATEGORY
Independent Ransomware Operation
AFFILIATIONS

Operates independently without confirmed RaaS structure. Demonstrates tactical overlap with APT41 through tool sharing. Maintains relationships with Initial Access Brokers.

DEscription

Emerging as a new ransomware variant in May 2024, Fog established itself as a significant threat actor in the ransomware ecosystem, particularly targeting educational institutions and business services. Operating with an independent affiliate model, the group implements double extortion tactics while conducting financially motivated operations. Following emergence as a STOP/DJVU variant, evolution through technical capabilities resulted in the first ransomware group to deploy legitimate employee monitoring software and publish victim IP addresses.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Independent Ransomware Operation

The group operates as an Independent Ransomware Operation with no confirmed organizational connections to established ransomware families, though technical analysis reveals overlap with APT41 through shared tool usage. Fog maintains relationships with Initial Access Brokers for credential procurement, operating through a closed, centralized model without affiliate infrastructure or revenue sharing. Evidence suggests informal collaboration among independent operators sharing infrastructure and tools, but no formal RaaS structure exists. This independent approach, combined with technical capabilities including AES-256/RSA-2048 hybrid encryption and cross-platform variants, distinguishes Fog from traditional ransomware operations.

Current Status: Active as of May 2025, with rapid growth in attack volume over the past year and continued operations despite international investigation following attacks on government infrastructure. However, there are conflicting reports about the group's current operational status as of September 2025.

Threat Level:
6.7

Origins and Methodology

Fog distinguishes itself in the ransomware landscape through evolution from STOP/DJVU family origins rather than emerging as an entirely new operation. Initially identified as a variant of the STOP/DJVU family, unique characteristics now set it apart, signaling the work of a more capable and strategically driven group.

The threat actors position themselves uniquely in the ecosystem, demonstrating advanced technical capabilities while conducting financially motivated operations. This operation support rapid attack cycles from initial access to full encryption and implementing extended persistence mechanisms.

What is the Evolution of Fog Ransomware?
0.1
Formation

Fog emerged from the STOP/DJVU ransomware family in May 2024, distinguishing itself through rapid tactical evolution. Originally classified as a variant with several years of heritage, transition to double extortion occurred in July 2024.

0.2
EVOLUTION

The most significant evolution occurred through tactical innovations in 2025, becoming the first ransomware group to deploy employee monitoring software for surveillance. Primarily targeting Windows environments, the ransomware is known for fast-moving attacks and ability to spread across enterprise networks.

0.3
Lineage/Connections

Technical analysis reveals connections to STOP/DJVU family code with evidence of loose coordination among independent operators. Discovery of shared infrastructure containing affiliate tools suggests informal collaboration without centralized RaaS structure.

Which Unique Techniques Does Fog Use?

TECHNIQUE

DETAILS

Infection Vectors

Multiple initial access methods employ exploitation of CVE202440711 (Veeam vulnerabilities) and CVE202440766 (SonicWall vulnerabilities), both added to the CISA KEV catalog. Initial access is typically gained through compromised VPN credentials or by exploiting vulnerabilities in VPN gateways such as SonicWall appliances.

Target Selection

Expanding beyond initial focus on U.S. higher education institutions to include organizations of various sizes across wide-ranging sectors, including business services, technology, manufacturing, finance, and government.

Operational Complexity

Sophisticated operational methods leverage Microsoft Visual C/C++ development with professional compilation practices. Living-off-the-land techniques, custom scripts, and extensive use of tools like Cobalt Strike and Mimikatz for privilege escalation characterize operations.

Key Features & Technical Details

Fog's technical architecture demonstrates advanced capabilities building upon STOP/DJVU foundations while incorporating modern operational techniques.

FEATURE

DETAILS

Encryption Methods

AES256 for files with RSA2048 key protection. Encrypted files marked with extensions such as .FOG, .FFOG, or .FLOCKED

Double Extortion

Fully adopted double extortion tactics, exfiltrating sensitive data before encryption and threatening to leak it if ransom demands are not met, a shift that began in July 2024

Cross-Platform

Windows environments primary target with ESXi functionality for virtualized infrastructure

Monetization

Ransom demands ranging from $50,000 to over $3 million, tailored based on victim organization's size, industry, and sensitivity of exfiltrated data

Communication

Ransom notes commonly titled readme.txt or HELP_YOUR_FILES.HTML provide instructions for contacting the attackers

Behavioral Patterns

Fast-moving attacks, disables Windows Defender, deletes Volume Shadow Copies (VSS), and removes Veeam backup data to eliminate recovery options

Activities

Maintaining consistent operational tempo with rapid growth following emergence in early 2024, Fog quickly broadened scope from initially narrow victim set. Now accounting for significant share of global ransomware incidents heading into mid-2025.

Which Industries Are Most Vulnerable to Fog?

Educational institutions faced highest initial risk, with targeting of higher education during early operations. Business services organizations experience targeting due to client data repositories and interconnected systems creating cascading impacts. Manufacturing companies attract attention for operational disruption potential and just-in-time production vulnerabilities. Technology and finance sectors face increased targeting due to high-value data and regulatory compliance pressures.

HAL Most Recent Attacks

Modus Operandi

Fog operations include a multi-stage attack architecture, leveraging both legitimate tools and custom malware to blend malicious activities with normal system operations. The methodical approach encompasses initial compromise through vulnerability exploitation, followed by systematic reconnaissance, privilege escalation, and strategic data exfiltration before encryption deployment.

Details

T1190 - Exploit Public-Facing Application via CVE-2024-40711 (Veeam) and CVE-2024-40766 (SonicWall). T1078 - Valid Accounts through compromised VPN credentials purchased from Initial Access Brokers or obtained through credential harvesting operations.

Details

Systematic network reconnaissance using built-in Windows utilities, mapping of Active Directory structures, identification of backup systems and data repositories for targeted destruction.

Details

Deployment of Cobalt Strike beacons for command and control, leveraging legitimate remote administration tools to maintain persistence while evading detection.

Details

Disables Windows Defender through registry modifications, uses living-off-the-land techniques, and employs custom scripts for stealth and adaptability. Implements anti-analysis mechanisms to hinder incident response.

Details

Tools like Cobalt Strike and Mimikatz enable privilege escalation, employing techniques such as pass-the-hash attacks and credential extraction from browsers and NTDS.dit.

Details

T1041 - Exfiltration Over C2 Channel for double extortion preparation before encryption. Infrastructure maintains through Tor hidden services and compromised legitimate sites.

Details

T1021 - Remote Services using PsExec and Remote Desktop Protocol (RDP) to propagate rapidly across networks. Leverages SMB shares for tool distribution and payload deployment.

Details

Strategic data theft focuses on sensitive documents, financial records, and intellectual property. Staged exfiltration implements to avoid detection by security monitoring systems.

Details

Establishes persistence through registry modifications, scheduled tasks, and service creation. Deploys legitimate monitoring software for long-term surveillance capabilities.

Details

Causes operational disruption through encryption, data breach exposure through exfiltration, recovery complexity through backup destruction, and regulatory compliance violations through data theft.

Details

T1486 - Data Encrypted using AES-256 for files with RSA-2048 key protection. Selective encryption implements to maximize speed while ensuring critical data remains inaccessible.

Details

Deploys ransom notes across all affected systems, implements countdown timers for payment deadlines, threatens incremental data release to pressure victims into payment.

Details

T1490 - Deletes Volume Shadow Copies (VSS) and removes Veeam backup data. Anti-forensics techniques implement to complicate incident response and attribution.

Indicators of Compromise (IOCs)

INDICATOR

DETAILS

File Extensions

.fog
.ffog
.flocked

Ransom Notes

readme.txt
HELP_YOUR_FILES.HTML
bidon_readme.txt

File Hashes

f5b41c20a73171681d050f24bf0714dec318eb42904dfa7a827fd6a59c8089b1 (SHA256)
100cbf5578cfd03950c8606c6131a85635a8278696d3d64ecb629fa09af449e9 (SHA256)
4215b5ce20e033aeed7c56ae2e0eec60 (MD5)

Infrastructure

194.48.154.79 - Open directory containing affiliate tools

File Paths

C:\readme.txt (Primary ransom note location)
DbgLog.sys (Debug log file)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run (Persistence)

Exploits and Vulnerabilities

Fog actively exploits critical vulnerabilities in backup infrastructure and VPN appliances, with both vulnerabilities added to CISA Known Exploited Vulnerabilities catalog due to active exploitation.

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

Veeam Backup & Replication Server

CVE202440711

9.8

Allows unauthenticated remote code execution in backup infrastructure

SonicWall SonicOS

CVE202440766

9.3

Improper access control vulnerability in VPN appliances