Credential Theft
- DonPAPI
- Veeam-Get-Creds
Fog ransomware is a ransomware family first observed in May 2024 and active through at least 2025.
Profile source: Mallory opens in a new tabFog
Fog ransomware is a ransomware family first observed in May 2024 and active through at least 2025. Reporting consistently describes it as a new ransomware strain, with some sources characterizing it as a variant of STOP/DJVU. It has been associated with double extortion in multiple reports, though early Arctic Wolf cases in May 2024 noted no observed data exfiltration. Fog has been linked operationally with Akira in several investigations, including shared tradecraft, overlapping infrastructure, and common exploitation of edge and backup technologies; one report also states Fog was distributed by Storm-0844, which has also propagated Akira.
Observed targeting includes U.S. education and recreation organizations, with Arctic Wolf reporting early May 2024 cases concentrated in those sectors, and Kroll reporting heavy targeting of higher education in the United States. Other reporting places Fog in broader opportunistic intrusions across multiple industries, including a financial institution in Asia where attackers deployed Fog alongside AdaptixC2. CERT Intrinsec also observed Fog among ransomware families affecting French organizations in 2025.
Initial access has repeatedly involved compromised or stolen VPN credentials and SSL VPN access. Multiple reports tie Fog intrusions to SonicWall SSL VPN accounts, with Arctic Wolf observing at least 30 Akira/Fog intrusions from early August through mid-October 2024 where SonicWall SSL VPN was early in the kill chain. Fog has also been linked to exploitation or abuse of SonicWall SonicOS CVE-2024-40766, including credential harvesting from SonicWall SSL VPN firewalls. Additional reporting links Fog attacks to exploitation of Veeam Backup & Replication servers via CVE-2024-40711, including Sophos tracking of cluster STAC 5881, where compromised VPN appliances were used for access and the Veeam flaw was used to create a local administrator account named "point" before deployment of Fog or Akira. Separate reporting states Akira and Fog used the Veeam flaw starting in October 2024.
Post-compromise behavior described across the sources includes pass-the-hash, brute forcing or credential stuffing of additional accounts, extraction of credentials from browsers and NTDS.dit, use of RDP for persistence, creation of new accounts, and use of tools such as PsExec, Metasploit, SoftPerfect Network Scanner, Advanced Port Scanner, SharpShares, Rclone, WinSCP, FileZilla, reverse SSH shells, and Veeam-Get-Creds.ps1. In some incidents, attackers disabled Windows Defender, deleted firewall logs, and used vssadmin.exe to delete shadow copies. Fog operators were reported to focus on virtual machine infrastructure and backups, including Hyper-V, VMware ESXi, and Veeam systems.
The ransomware itself has been described as encrypting a broad range of files, including VMDKs, deleting Veeam backups and Windows Volume Shadow Copies, appending .FOG or .FLOCKED extensions, and dropping a ransom note typically named "readme.txt" with a Tor-based negotiation site and chat interface. Arctic Wolf additionally reported a JSON configuration controlling encryption behavior, ransom note names, service shutdowns, and configured extensions. One report noted the payload creates DbgLog.sys in %AppData% and references NTDLL.DLL and NtQuerySystemInformation. Command-line options observed include NOMUTEX, TARGET, and CONSOLE. Encryption was described as using symmetric encryption with the symmetric key protected by asymmetric encryption.
Operationally, Fog has been characterized as fast-moving. Arctic Wolf reported encryption sometimes began within 1.5 to 2 hours of initial SSL VPN access, and other reporting states some Fog intrusions achieved full network encryption in under four hours. Known indicators and artifacts directly mentioned in the content include the local administrator account name "point" created in some Veeam-related intrusions, file extensions .FOG and .FLOCKED, ransom note name "readme.txt," creation of DbgLog.sys in %AppData%, and use of SonicWall log event IDs 238, 1080, and 1079 in observed SSL VPN intrusions.
Ransomware.live
Ransomware.live
da15ca8a6a316ee543ecc0cf4799700ecff6c948bfede2c14590bd5daacd96efd16ec8c2dc42401f3acea469c128d98121c244771422cf24ef49cdaf2b437c12f6359f375ae370e15bfef366f238ee15a8c09a3ad7a8faab7be4d46bbec4e01a8b157ad42fa665d263904052f56a009b470a328ad3705d0c6866a48912a3f718bcd51ee1df396f07af0b0a345a6dbaf4935d7db2557d62a55a23b6020d42351cExploited software
MITRE ATT&CK
Reporting
"... also used in Akira and Fog ransomware attacks starting in October 2024."
Fog ransomware accounts for another significant share, with some documented intrusions achieving full network encryption in under four hours.
The ransomware families observed included Akira, LockBit, Fog, Incransom, and Lynx.
A new ransomware variant called Fog has emerged as a significant threat to educational and recreation organizations across the United States. Starting in early May 2024, Arctic Wolf Labs began monitoring its deployment across multiple incident response cases, with 80 percent of affected organizations operating in the education sector while 20 percent were in recreation.
Related Posts: Fog & Akira Ransomware Exploit Critical Veeam RCE Flaw CVE-2024-40711 After PoC Release
Some cases in this cluster led to the deployment of Akira or Fog ransomware. Fog emerged earlier this year, first seen in May.
Some cases in this cluster led to the deployment of Akira or Fog ransomware. Fog emerged earlier this year, first seen in May.
This tactic seems to be getting employed by the Akira - as well as Fog - ransomware groups in their targeting of SonicWall SSL VPN firewalls.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.