Skip to content
Ransomware group

Frag

Frag is a previously undocumented ransomware family observed by Sophos X-Ops in late 2024 and associated with threat activity cluster STAC 5881.

Profile source: Mallory opens in a new tab

Frag

Family profile

Frag is a previously undocumented ransomware family observed by Sophos X-Ops in late 2024 and associated with threat activity cluster STAC 5881. In the reported incidents, the operators gained initial access via compromised VPN appliances and then exploited Veeam Backup & Replication remote code execution vulnerability CVE-2024-40711 on backup servers. The same cluster had previously deployed Akira and Fog ransomware, and Sophos and Agger Labs noted that Frag-related tradecraft overlaps with tactics seen in Akira- and Fog-associated activity, suggesting either a new ransomware actor using similar methods or operational overlap. In the Frag case, the attackers used the Veeam flaw to create local administrator accounts named "point" and "point2". Frag is a command-line ransomware that requires a parameter specifying the percentage of file encryption, supports targeting specific directories or individual files, and appends the .frag extension to encrypted files. Sophos reported that its CryptoGuard feature blocked Frag in the observed incident and that detection for the Frag binary was subsequently added. Reporting also characterizes Frag as a cheaply produced "junk gun" ransomware, possibly self-developed by criminals or acquired from an underground marketplace for roughly $375. High-confidence indicators and artifacts mentioned in the content include exploitation of CVE-2024-40711, creation of local accounts "point" and "point2," and encrypted files bearing the .frag extension. Targeting in the cited reporting centers on organizations running Veeam backup infrastructure, which ransomware actors commonly attack to enable lateral movement, data theft, and disruption of recovery by deleting or compromising backups.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Email

2 total
  • frag-blog@proton.me
  • frag-blog@tutamail.com

Exploited software

Vulnerabilities linked to Frag

1 CVEs

MITRE ATT&CK

Frag in ATT&CK

5 distinct techniques

Reporting

Research mentioning Frag

Mar 12
Bleeping Computer

Veeam warns of critical flaws exposing backup servers to RCE attacks

"Sophos X-Ops incident responders also revealed in November 2024 that Frag ransomware exploited another VBR RCE bug disclosed two months earlier ..."

Jan 1
Sophos Threat Research

VEEAM exploit seen used again with a new ransomware: “Frag” | SOPHOS

In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called “Frag”.

Jan 1
Sophos Threat Research

VEEAM exploit seen used again with a new ransomware: “Frag” | SOPHOS

In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called “Frag”.

Aug 14
Dragos

OT Ransomware Trends: Q2 2025 Analysis & Insights | Dragos

“...Frag… Each documented 2 incidents…”

Jun 18
Register Security

Veeam patches third critical RCE bug in Backup & Replication in space of a year

A month later noted that attacks using a new variant called Frag were also being launched using the same flaw.

Jun 17
Bleeping Computer

New Veeam RCE flaw lets domain users hack backup servers

"...CVE-2024-40711 disclosed in September is now being exploited to deploy Frag ransomware."

Apr 16
Sophos Threat Research

The Sophos Annual Threat Report: Cybercrime on Main Street 2025

Frag appears to be a “junk gun” ransomware—crudely coded, cheap ransomware produced as an alternative to ransomware-as-a-service, and either developed by the cybercriminals themselves or obtained from an underground marketplace at an average price of $375.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.