Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Fog Ransomware

133
Global rank
75 infographic chevron month
Month rank
70 infographic chevron week
Week rank
0
IOCs

Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.

Ransomware
Type
Unknown
Origin
1 April, 2024
First seen
14 March, 2025
Last seen

How to analyze Fog Ransomware with ANY.RUN

Type
Unknown
Origin
1 April, 2024
First seen
14 March, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
New Pre-Installed Dev Tools for Deep Sandbox...
watchers 457
comments 0
post image
AI Safety: Key Threats and Solutions 
watchers 545
comments 0
post image
5 Common Evasion Techniques in Malware 
watchers 745
comments 0

What is Fog malware?

Fog is a ransomware that was first noticed in April 2024 actively using compromised virtual private network (VPN) credentials to gain access to organization networks. It started with attacking educational and recreational sectors, later expanding on financial and manufacturing industries.

Fog turned out to be capable of encrypting files with alarming speed: the shortest time observed was 2 hours after appearing in the network. It encrypts data on the device and any mounted shares adding extensions such as .fog, .ffog, .flocked to the affected files.

Fog Ransomware note in the ANY.RUN Sandbox Fog analysis session the ANY.RUN sandbox and its ransom note

After infiltrating a network, Fog explores it to understand its topology and identify critical assets. Further it escalates privileges and moves laterally across the network to establish a strong foothold into it. Before encryption, valuable data gets exfiltrated to be used for double extortion tactics.

The malware generates a .txt note demanding a ransom for decrypting files and avoiding the publication of sensitive data.

Fog counters recovery efforts, deletes system volume shadow copies, and avoids detection both by security software and by users observing disruptions in the system’s functioning.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Fog malware

Fog is equipped with extensive capabilities:

  • For infiltration, uses compromised VPN credentials.
  • For Linux-based endpoints, weak SSH passwords or misconfigured network services are also exploited.
  • Once in the network, performs "pass-the-hash" attacks on administrator accounts, which are used to establish RDP connections to Windows servers running Hyper-V.
  • Disables Windows Defender to prevent alerting the victim before the execution of the encrypter.
  • Calls Windows API to gather information about the network, such as the number of available logical processors to allocate threads for a multi-threaded encryption routine.
  • Exploits Linux privilege escalation vulnerabilities (e.g., Dirty Pipe or Sudo-related flaws), misconfigured sudo privileges, or local exploits.
  • Establishes persistence by adding malicious system tasks, modifying startup scripts, or planting backdoors in binaries.
  • Terminates security services and processes from a list encoded in its config.
  • Attackers use legitimate remote access tools like AnyDesk to establish command-and-control (C2) communication.
  • A ransom note is copied to the affected directories. It contains a link to a Tor website with a chat interface for negotiations.

The Execution process of Fog

To see how Fog infects a system, we can upload its sample to ANY.RUN's Interactive Sandbox, which provides a safe virtual environment for detonating and analyzing malware and phishing threats.

Fog Ransomware MITRE in the ANY.RUN Sandbox TTP matrix of a Fog attack via Interactive Sandbox

Fog ransomware operates via a sophisticated execution chain that begins with the initial compromise of a target system. Attackers gain access by exploiting known vulnerabilities or purchasing compromised credentials from Initial Access Brokers.

Fog Ransomware process in the ANY.RUN Sandbox Fog’s malicious process that encrypts data and deletes copies viewed in ANY.RUN’s sandbox

Once inside the network, they conduct reconnaissance, scanning for valuable data and identifying potential encryption targets. This phase is crucial because it allows the attackers to map out the network and establish lateral movement paths to propagate the ransomware effectively.

Once executed, the malware begins encrypting files on both the local system and any mounted shares, appending extensions such as .fog, .ffog, or .flocked, making it evident the files have been compromised.

Additionally, it maintains a whitelist of files and directories to avoid rendering the system unusable, which could alert victims to its presence before it completes encryption. This careful planning allows the attackers to maximize damage while minimizing detection.

As part of its protocol, Fog generates a ransom note named readme.txt, which is distributed across affected systems. This note typically includes an introduction to the Fog group, details about the encryption process, and instructions on how victims can contact the attackers and arrange payment.

The speed at which Fog ransomware can execute its entire chain — from initial access to file encryption — is alarmingly rapid; some reports indicate that the process can occur in as little as two hours.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Threat Intelligence on Fog Ransomware

Gather Fog’s artifacts, IOCs, and TTPs to arm your defenses with fresh data backed by a community of security experts. You can get a list of sandbox reports featuring the most recent analyses of Fog samples.

TI Lookup from ANY.RUN supports over 40 search parameters, including IPs, domains, and file names.

Fog Ransomware search results the ANY.RUN's TI Lookup Fog analysis sessions listed by ANY.RUN’s Threat Intelligence Lookup

Use the threat name or related data like hash values or network connections as search queries to understand the malware's behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of Fog

For infiltration, it uses compromised VPN credentials leaked from at least two different VPN gateway vendors and bought on the dark market, weak SSH passwords, or misconfigured network services. Brute force attacks against remote desktop protocol (RDP) are also employed.

Use threat intelligence services like TI Lookup by ANY.RUN to gather relevant IOCs for setting up early detection and alerts in your security infrastructure.

Conclusion

Fog is a dangerous and sophisticated ransomware that promises companies operational disruption, financial losses and long-term damages to their business.

It accesses corporate networks by exploiting compromised VPN credentials. Fog strikes rapidly, and preventive measures must be taken to avoid an attack. Keep your security systems up to date and fine-tuned against topical attacks, use tools like ANY.RUN’s TI Lookup and Sandbox to gather threat intelligence and enforce your protection.

Sign up for a free ANY.RUN account to strengthen your security posture!

HAVE A LOOK AT

Botnet screenshot
Botnet
botnet
A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet.
Read More
Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More