Skip to content
Ransomware group

Fog

Fog ransomware is a ransomware family first observed in May 2024 and active through at least 2025.

Profile source: Mallory opens in a new tab

Fog

Family profile

Fog ransomware is a ransomware family first observed in May 2024 and active through at least 2025. Reporting consistently describes it as a new ransomware strain, with some sources characterizing it as a variant of STOP/DJVU. It has been associated with double extortion in multiple reports, though early Arctic Wolf cases in May 2024 noted no observed data exfiltration. Fog has been linked operationally with Akira in several investigations, including shared tradecraft, overlapping infrastructure, and common exploitation of edge and backup technologies; one report also states Fog was distributed by Storm-0844, which has also propagated Akira.

Observed targeting includes U.S. education and recreation organizations, with Arctic Wolf reporting early May 2024 cases concentrated in those sectors, and Kroll reporting heavy targeting of higher education in the United States. Other reporting places Fog in broader opportunistic intrusions across multiple industries, including a financial institution in Asia where attackers deployed Fog alongside AdaptixC2. CERT Intrinsec also observed Fog among ransomware families affecting French organizations in 2025.

Initial access has repeatedly involved compromised or stolen VPN credentials and SSL VPN access. Multiple reports tie Fog intrusions to SonicWall SSL VPN accounts, with Arctic Wolf observing at least 30 Akira/Fog intrusions from early August through mid-October 2024 where SonicWall SSL VPN was early in the kill chain. Fog has also been linked to exploitation or abuse of SonicWall SonicOS CVE-2024-40766, including credential harvesting from SonicWall SSL VPN firewalls. Additional reporting links Fog attacks to exploitation of Veeam Backup & Replication servers via CVE-2024-40711, including Sophos tracking of cluster STAC 5881, where compromised VPN appliances were used for access and the Veeam flaw was used to create a local administrator account named "point" before deployment of Fog or Akira. Separate reporting states Akira and Fog used the Veeam flaw starting in October 2024.

Post-compromise behavior described across the sources includes pass-the-hash, brute forcing or credential stuffing of additional accounts, extraction of credentials from browsers and NTDS.dit, use of RDP for persistence, creation of new accounts, and use of tools such as PsExec, Metasploit, SoftPerfect Network Scanner, Advanced Port Scanner, SharpShares, Rclone, WinSCP, FileZilla, reverse SSH shells, and Veeam-Get-Creds.ps1. In some incidents, attackers disabled Windows Defender, deleted firewall logs, and used vssadmin.exe to delete shadow copies. Fog operators were reported to focus on virtual machine infrastructure and backups, including Hyper-V, VMware ESXi, and Veeam systems.

The ransomware itself has been described as encrypting a broad range of files, including VMDKs, deleting Veeam backups and Windows Volume Shadow Copies, appending .FOG or .FLOCKED extensions, and dropping a ransom note typically named "readme.txt" with a Tor-based negotiation site and chat interface. Arctic Wolf additionally reported a JSON configuration controlling encryption behavior, ransom note names, service shutdowns, and configured extensions. One report noted the payload creates DbgLog.sys in %AppData% and references NTDLL.DLL and NtQuerySystemInformation. Command-line options observed include NOMUTEX, TARGET, and CONSOLE. Encryption was described as using symmetric encryption with the symmetric key protected by asymmetric encryption.

Operationally, Fog has been characterized as fast-moving. Arctic Wolf reported encryption sometimes began within 1.5 to 2 hours of initial SSL VPN access, and other reporting states some Fog intrusions achieved full network encryption in under four hours. Known indicators and artifacts directly mentioned in the content include the local administrator account name "point" created in some Veeam-related intrusions, file extensions .FOG and .FLOCKED, ransom note name "readme.txt," creation of DbgLog.sys in %AppData%, and use of SonicWall log event IDs 238, 1080, and 1079 in observed SSL VPN intrusions.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • DonPAPI
  • Veeam-Get-Creds

Discovery Enum

  • Advanced Port Scanner
  • SharpShares
  • SoftPerfect NetScan

LOLBAS

  • PsExec

Networking

  • Powercat
  • Proxychains

Offsec

  • Certipy
  • Impacket
  • Metasploit
  • NetExec
  • Orpheus
  • Sliver
  • Zer0dump

RMM Tools

  • AnyDesk

Ransomware.live

Published indicators

Full source record ↗

Md5

53 total
  • da15ca8a6a316ee543ecc0cf4799700e
  • cff6c948bfede2c14590bd5daacd96ef
  • d16ec8c2dc42401f3acea469c128d981
  • 21c244771422cf24ef49cdaf2b437c12
  • f6359f375ae370e15bfef366f238ee15
  • a8c09a3ad7a8faab7be4d46bbec4e01a
  • 8b157ad42fa665d263904052f56a009b
  • 470a328ad3705d0c6866a48912a3f718
  • bcd51ee1df396f07af0b0a345a6dbaf4
  • 935d7db2557d62a55a23b6020d42351c

Exploited software

Vulnerabilities linked to Fog

10 CVEs

MITRE ATT&CK

Fog in ATT&CK

8 distinct techniques

Reporting

Research mentioning Fog

Mar 12
Bleeping Computer

Veeam warns of critical flaws exposing backup servers to RCE attacks

"... also used in Akira and Fog ransomware attacks starting in October 2024."

Mar 2
Cyber Security News

Hackers Attacking SonicWall Firewalls from 4,000+ unique IP Addresses to Exploit Vulnerabilities

Fog ransomware accounts for another significant share, with some documented intrusions achieving full network encryption in under four hours.

Feb 24
Intrinsec

Rapport sur les incidents cyber et recommandations

The ransomware families observed included Akira, LockBit, Fog, Incransom, and Lynx.

Jan 9
Cyber Security News

Fog Ransomware Attacking US Organizations Leveraging Compromised VPN Credentials

A new ransomware variant called Fog has emerged as a significant threat to educational and recreation organizations across the United States. Starting in early May 2024, Arctic Wolf Labs began monitoring its deployment across multiple incident response cases, with 80 percent of affected organizations operating in the education sector while 20 percent were in recreation.

Jan 7
Security Online Info

Veeam Patches Critical RCE Flaws in Latest Backup & Replication Release

Related Posts: Fog & Akira Ransomware Exploit Critical Veeam RCE Flaw CVE-2024-40711 After PoC Release

Jan 1
Sophos Threat Research

VEEAM exploit seen used again with a new ransomware: “Frag” | SOPHOS

Some cases in this cluster led to the deployment of Akira or Fog ransomware. Fog emerged earlier this year, first seen in May.

Jan 1
Sophos Threat Research

VEEAM exploit seen used again with a new ransomware: “Frag” | SOPHOS

Some cases in this cluster led to the deployment of Akira or Fog ransomware. Fog emerged earlier this year, first seen in May.

Nov 28
Bank Info Security

Ransomware Moves: Supply Chain Hits, Credential Harvesting

This tactic seems to be getting employed by the Akira - as well as Fog - ransomware groups in their targeting of SonicWall SSL VPN firewalls.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.