Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Fog Ransomware

133
Global rank
74 infographic chevron month
Month rank
63 infographic chevron week
Week rank
0
IOCs

Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.

Ransomware
Type
Unknown
Origin
1 April, 2024
First seen
14 March, 2025
Last seen

How to analyze Fog Ransomware with ANY.RUN

Type
Unknown
Origin
1 April, 2024
First seen
14 March, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 334
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 444
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 599
comments 0

What is Fog malware?

Fog is a ransomware that was first noticed in April 2024 actively using compromised virtual private network (VPN) credentials to gain access to organization networks. It started with attacking educational and recreational sectors, later expanding on financial and manufacturing industries.

Fog turned out to be capable of encrypting files with alarming speed: the shortest time observed was 2 hours after appearing in the network. It encrypts data on the device and any mounted shares adding extensions such as .fog, .ffog, .flocked to the affected files.

Fog Ransomware note in the ANY.RUN Sandbox Fog analysis session the ANY.RUN sandbox and its ransom note

After infiltrating a network, Fog explores it to understand its topology and identify critical assets. Further it escalates privileges and moves laterally across the network to establish a strong foothold into it. Before encryption, valuable data gets exfiltrated to be used for double extortion tactics.

The malware generates a .txt note demanding a ransom for decrypting files and avoiding the publication of sensitive data.

Fog counters recovery efforts, deletes system volume shadow copies, and avoids detection both by security software and by users observing disruptions in the system’s functioning.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Fog malware

Fog is equipped with extensive capabilities:

  • For infiltration, uses compromised VPN credentials.
  • For Linux-based endpoints, weak SSH passwords or misconfigured network services are also exploited.
  • Once in the network, performs "pass-the-hash" attacks on administrator accounts, which are used to establish RDP connections to Windows servers running Hyper-V.
  • Disables Windows Defender to prevent alerting the victim before the execution of the encrypter.
  • Calls Windows API to gather information about the network, such as the number of available logical processors to allocate threads for a multi-threaded encryption routine.
  • Exploits Linux privilege escalation vulnerabilities (e.g., Dirty Pipe or Sudo-related flaws), misconfigured sudo privileges, or local exploits.
  • Establishes persistence by adding malicious system tasks, modifying startup scripts, or planting backdoors in binaries.
  • Terminates security services and processes from a list encoded in its config.
  • Attackers use legitimate remote access tools like AnyDesk to establish command-and-control (C2) communication.
  • A ransom note is copied to the affected directories. It contains a link to a Tor website with a chat interface for negotiations.

The Execution process of Fog

To see how Fog infects a system, we can upload its sample to ANY.RUN's Interactive Sandbox, which provides a safe virtual environment for detonating and analyzing malware and phishing threats.

Fog Ransomware MITRE in the ANY.RUN Sandbox TTP matrix of a Fog attack via Interactive Sandbox

Fog ransomware operates via a sophisticated execution chain that begins with the initial compromise of a target system. Attackers gain access by exploiting known vulnerabilities or purchasing compromised credentials from Initial Access Brokers.

Fog Ransomware process in the ANY.RUN Sandbox Fog’s malicious process that encrypts data and deletes copies viewed in ANY.RUN’s sandbox

Once inside the network, they conduct reconnaissance, scanning for valuable data and identifying potential encryption targets. This phase is crucial because it allows the attackers to map out the network and establish lateral movement paths to propagate the ransomware effectively.

Once executed, the malware begins encrypting files on both the local system and any mounted shares, appending extensions such as .fog, .ffog, or .flocked, making it evident the files have been compromised.

Additionally, it maintains a whitelist of files and directories to avoid rendering the system unusable, which could alert victims to its presence before it completes encryption. This careful planning allows the attackers to maximize damage while minimizing detection.

As part of its protocol, Fog generates a ransom note named readme.txt, which is distributed across affected systems. This note typically includes an introduction to the Fog group, details about the encryption process, and instructions on how victims can contact the attackers and arrange payment.

The speed at which Fog ransomware can execute its entire chain — from initial access to file encryption — is alarmingly rapid; some reports indicate that the process can occur in as little as two hours.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Threat Intelligence on Fog Ransomware

Gather Fog’s artifacts, IOCs, and TTPs to arm your defenses with fresh data backed by a community of security experts. You can get a list of sandbox reports featuring the most recent analyses of Fog samples.

TI Lookup from ANY.RUN supports over 40 search parameters, including IPs, domains, and file names.

Fog Ransomware search results the ANY.RUN's TI Lookup Fog analysis sessions listed by ANY.RUN’s Threat Intelligence Lookup

Use the threat name or related data like hash values or network connections as search queries to understand the malware's behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of Fog

For infiltration, it uses compromised VPN credentials leaked from at least two different VPN gateway vendors and bought on the dark market, weak SSH passwords, or misconfigured network services. Brute force attacks against remote desktop protocol (RDP) are also employed.

Use threat intelligence services like TI Lookup by ANY.RUN to gather relevant IOCs for setting up early detection and alerts in your security infrastructure.

Conclusion

Fog is a dangerous and sophisticated ransomware that promises companies operational disruption, financial losses and long-term damages to their business.

It accesses corporate networks by exploiting compromised VPN credentials. Fog strikes rapidly, and preventive measures must be taken to avoid an attack. Keep your security systems up to date and fine-tuned against topical attacks, use tools like ANY.RUN’s TI Lookup and Sandbox to gather threat intelligence and enforce your protection.

Sign up for a free ANY.RUN account to strengthen your security posture!

HAVE A LOOK AT

Raspberry Robin screenshot
Raspberry Robin
raspberryrobin
Raspberry Robin is a trojan that primarily spreads through infected USB drives and exploits legitimate Windows commands. This malware is known for its advanced obfuscation techniques, anti-debugging mechanisms, and ability to gain persistence on infected systems. Raspberry Robin often communicates with command-and-control servers over the TOR network and can download additional malicious payloads.
Read More
Ramnit screenshot
Ramnit
ramnit
Ramnit is a highly modular banking trojan and worm that evolved from a file-infecting virus into a powerful cybercrime tool. It specializes in financial fraud, credential theft, remote access, and malware delivery, being a serious threat to businesses and individuals. First spotted in 2010, Ramnit became popular after the 2014 takedown of the GameOver Zeus botnet, as cybercriminals sought alternatives for banking fraud.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More