Fog Ransomware Returns with Expanded Toolset and Enterprise Focus
Threat Group: Unknown (Closed group suspected)
Threat Type: Ransomware with espionage-like capabilities
Exploited Vulnerabilities: SonicWall VPN (CVE-2024-40766), Veeam RCE (CVE-2024-40711), possible Exchange vulnerabilities
Malware Used: Fog Ransomware, Syteca (Ekran) client, Adaptix Beacon, GC2, Stowaway, 7-Zip, MegaSync
Threat Score: 🔴 High (8.0/10) – Due to advanced persistence techniques, espionage-style data theft, and the use of trusted tools to evade detection
Last Threat Observation: June 14, 2025
Overview
A newly identified variant of the Fog ransomware has surfaced with a broadened target range across enterprise sectors, including finance, government, and technology. Initially reported in 2024 as a ransomware strain targeting educational institutions, Fog has since evolved into a hybrid threat that merges ransomware deployment with espionage-style persistence and data theft.
The latest campaign employs an unorthodox blend of legitimate software, open-source tools, and custom components to achieve lateral movement, privilege escalation, and stealthy data exfiltration prior to encryption. This variant exhibits a heightened operational sophistication that challenges traditional detection methods and demands a reassessment of enterprise security baselines.
Key Details
Delivery Method: Phishing emails with malicious .lnk files; compromised VPN credentials; exploitation of unpatched VPN, backup, and email systems
Target: Finance, education, tech, manufacturing, and government sectors globally
Functions:
- Disables endpoint defenses (e.g., AV/EDR, Windows Defender)
- Deletes Veeam and Volume Shadow backups
- Harvests credentials via Mimikatz, keylogging (Syteca), and screen recording
- Executes lateral movement through PsExec, RDP, SMBExec, and Impacket
- Encrypts files with hybrid AES-256 + RSA-2048 scheme using extensions like
.fogand.flocked
Obfuscation: Uses sandbox evasion, legitimate binaries (LOLbins), and installs as Windows services; avoids traditional malware signatures by leveraging tools like GC2, Stowaway, and Adaptix Beacon
Attack Vectors
- Compromised Credentials: Leveraging weak or leaked VPN/RDP credentials for initial access
- Exploited Vulnerabilities: Actively exploiting SonicWall VPN and Veeam flaws; potential abuse of Exchange vulnerabilities
- Phishing: Delivery of ZIP archives with
.lnkfiles disguised as PDFs launching PowerShell payloads - Tool Abuse: Use of Syteca (employee monitoring software) for surveillance and credential theft; 7-Zip and MegaSync for exfiltration
- Post-Compromise: 14+ days of dwell time, establishing persistence, creating new admin accounts and services, disabling AV, lateral movement
Known Indicators of Compromise (IoCs)
SHA256 Hashes
Fog Ransomware
181cf6f9b656a946e7d4ca7c7d8a5002d3d407b4e89973ecad60cee028ae5afa
Process Watchdog
90a027f44f7275313b726028eaaed46f6918210d3b96b84e7b1b40d5f51d7e85f6cfd936a706ba56c3dcae562ff5f75a630ff5e25fcb6149fe77345afd262aabfcf1da46d66cc6a0a34d68fe79a33bc3e8439affdee942ed82f6623586b01dd14d80c6fcd685961e60ba82fa10d34607d09dacf23d81105df558434f82d67a5e8ed42a1223bfaec9676780137c1080d248af9ac71766c0a80bed6eb4a1b9b4f1e1f571f4bc564f000f18a10ebb7ee7f936463e17ebff75a11178cc9fb855fca4f1c22cbd2d13c58ff9bafae2af33c33d5b05049de83f94b775cdd523e393ec40279f32c2bb367cc50e053fbd4b443f315823735a3d78ec4ee245860043f72406b448321baae50220782e345ea629d4874cbd13356f54f2bbee857a90b5ce81f6
GC2-sheet
f37c62c5b92eecf177e3b7f98ac959e8a67de5f8721da275b6541437410ffae13d1d4259fc6e02599a912493dfb7e39bd56917d1073fdba3d66a96ff516a0982982d840de531e72a098713fb9bd6aa8a4bf3ccaff365c0f647e8a50100db806d
Syteca Executable
fd9f6d828dea66ccc870f56ef66381230139e6d4d68e2e5bcd2a60cc835c0cc6
Stowaway
bb4f3cd0bc9954b2a59d6cf3d652e5994757b87328d51aa7b1c94086b9f89be013d70c27dfa36ba3ae1b10af6def9bf34de81f6e521601123a5fa5b20477f277
Adaptix C2 Beacon Agent
ba96c0399319848da3f9b965627a583882d352eb650b5f60149b46671753d7dd44bb7d9856ba97271d8f37896071b72dfbed2d9fb6c70ac1e70247cddbd54490
Network IOCs
- IP:
66[.]112[.]216[.]232 - IP:
97[.]64[.]81[.]119 - Domain:
amanda[.]protoflint[.]com
YARA Rule to Detect the Above SHA256 Hashes
import "hash"
rule Fog_Ransomware_and_Toolset_IOCs
{
meta:
description = "Detects SHA256 hashes related to Fog ransomware and associated tooling"
author = "Cybersec Sentinel"
date = "2025-06-14"
version = "1.2"
condition:
hash.sha256(0, filesize) == "181cf6f9b656a946e7d4ca7c7d8a5002d3d407b4e89973ecad60cee028ae5afa" or
hash.sha256(0, filesize) == "90a027f44f7275313b726028eaaed46f6918210d3b96b84e7b1b40d5f51d7e85" or
hash.sha256(0, filesize) == "f6cfd936a706ba56c3dcae562ff5f75a630ff5e25fcb6149fe77345afd262aab" or
hash.sha256(0, filesize) == "fcf1da46d66cc6a0a34d68fe79a33bc3e8439affdee942ed82f6623586b01dd1" or
hash.sha256(0, filesize) == "4d80c6fcd685961e60ba82fa10d34607d09dacf23d81105df558434f82d67a5e" or
hash.sha256(0, filesize) == "8ed42a1223bfaec9676780137c1080d248af9ac71766c0a80bed6eb4a1b9b4f1" or
hash.sha256(0, filesize) == "e1f571f4bc564f000f18a10ebb7ee7f936463e17ebff75a11178cc9fb855fca4" or
hash.sha256(0, filesize) == "f1c22cbd2d13c58ff9bafae2af33c33d5b05049de83f94b775cdd523e393ec40" or
hash.sha256(0, filesize) == "279f32c2bb367cc50e053fbd4b443f315823735a3d78ec4ee245860043f72406" or
hash.sha256(0, filesize) == "b448321baae50220782e345ea629d4874cbd13356f54f2bbee857a90b5ce81f6" or
hash.sha256(0, filesize) == "f37c62c5b92eecf177e3b7f98ac959e8a67de5f8721da275b6541437410ffae1" or
hash.sha256(0, filesize) == "3d1d4259fc6e02599a912493dfb7e39bd56917d1073fdba3d66a96ff516a0982" or
hash.sha256(0, filesize) == "982d840de531e72a098713fb9bd6aa8a4bf3ccaff365c0f647e8a50100db806d" or
hash.sha256(0, filesize) == "fd9f6d828dea66ccc870f56ef66381230139e6d4d68e2e5bcd2a60cc835c0cc6" or
hash.sha256(0, filesize) == "bb4f3cd0bc9954b2a59d6cf3d652e5994757b87328d51aa7b1c94086b9f89be0" or
hash.sha256(0, filesize) == "13d70c27dfa36ba3ae1b10af6def9bf34de81f6e521601123a5fa5b20477f277" or
hash.sha256(0, filesize) == "ba96c0399319848da3f9b965627a583882d352eb650b5f60149b46671753d7dd" or
hash.sha256(0, filesize) == "44bb7d9856ba97271d8f37896071b72dfbed2d9fb6c70ac1e70247cddbd54490"
}
Mitigation and Prevention
User Awareness: Train employees to identify phishing attempts, especially ZIP attachments with .lnk files
Email Filtering: Block uncommon file types like .lnk and scan compressed attachments
Antivirus Protection: Enable tamper protection and behavior-based detection on EDR/AV tools
Two-Factor Authentication (2FA): Mandatory for all VPN and RDP access
Monitor Logs: Review for use of unusual binaries (Syteca, 7-Zip uploads, PowerShell scripts like lootsubmit.ps1)
Regular Updates: Patch high-value systems (VPN, Exchange, Veeam) and monitor for exploit CVEs like CVE-2024-40766 and CVE-2024-40711
Risk Assessment
Fog ransomware now represents a highly capable, advanced persistent threat to enterprise environments. With a broadening attack surface and tools mimicking those of state actors, this campaign marks a dangerous escalation from traditional ransomware. Its long dwell time, sophisticated obfuscation, and double-extortion strategy amplify its impact.
Threat Score: 🔴 High (8.0/10)
Conclusion
The latest Fog ransomware variant redefines the modern ransomware threat by integrating espionage-grade tactics and tools into its attack chain. Enterprises must elevate their threat models, focusing on visibility, behavior analytics, and strict access controls. Detection of such a hybrid campaign requires a proactive, threat-informed defense posture across the entire attack surface.
Sources:
Trend Micro – Fog Ransomware Concealed Within Trolling DOGE Binary Loader
Symantec Threat Hunter Team – Fog Ransomware: Unusual Toolset Used in Recent Attack
SC Media – Fog Ransomware Uses Legit Monitoring Software, Open-Source Tools