frag-blog@proton.mefrag-blog@tutamail.com
Frag
Frag is a previously undocumented ransomware family observed by Sophos X-Ops in late 2024 and associated with threat activity cluster STAC 5881.
Profile source: Mallory opens in a new tabFrag
Family profile
Frag is a previously undocumented ransomware family observed by Sophos X-Ops in late 2024 and associated with threat activity cluster STAC 5881. In the reported incidents, the operators gained initial access via compromised VPN appliances and then exploited Veeam Backup & Replication remote code execution vulnerability CVE-2024-40711 on backup servers. The same cluster had previously deployed Akira and Fog ransomware, and Sophos and Agger Labs noted that Frag-related tradecraft overlaps with tactics seen in Akira- and Fog-associated activity, suggesting either a new ransomware actor using similar methods or operational overlap. In the Frag case, the attackers used the Veeam flaw to create local administrator accounts named "point" and "point2". Frag is a command-line ransomware that requires a parameter specifying the percentage of file encryption, supports targeting specific directories or individual files, and appends the .frag extension to encrypted files. Sophos reported that its CryptoGuard feature blocked Frag in the observed incident and that detection for the Frag binary was subsequently added. Reporting also characterizes Frag as a cheaply produced "junk gun" ransomware, possibly self-developed by criminals or acquired from an underground marketplace for roughly $375. High-confidence indicators and artifacts mentioned in the content include exploitation of CVE-2024-40711, creation of local accounts "point" and "point2," and encrypted files bearing the .frag extension. Targeting in the cited reporting centers on organizations running Veeam backup infrastructure, which ransomware actors commonly attack to enable lateral movement, data theft, and disruption of recovery by deleting or compromising backups.
Ransomware.live
Operational record
Ransomware.live
Published indicators
Exploited software
Vulnerabilities linked to Frag
1 CVEsMITRE ATT&CK
Frag in ATT&CK
5 distinct techniquesReporting
Research mentioning Frag
Veeam warns of critical flaws exposing backup servers to RCE attacks
"Sophos X-Ops incident responders also revealed in November 2024 that Frag ransomware exploited another VBR RCE bug disclosed two months earlier ..."
VEEAM exploit seen used again with a new ransomware: “Frag” | SOPHOS
In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called “Frag”.
VEEAM exploit seen used again with a new ransomware: “Frag” | SOPHOS
In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called “Frag”.
OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos
“...Frag… Each documented 2 incidents…”
Veeam patches third critical RCE bug in Backup & Replication in space of a year
A month later noted that attacks using a new variant called Frag were also being launched using the same flaw.
New Veeam RCE flaw lets domain users hack backup servers
"...CVE-2024-40711 disclosed in September is now being exploited to deploy Frag ransomware."
The Sophos Annual Threat Report: Cybercrime on Main Street 2025
Frag appears to be a “junk gun” ransomware—crudely coded, cheap ransomware produced as an alternative to ransomware-as-a-service, and either developed by the cybercriminals themselves or obtained from an underground marketplace at an average price of $375.