Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Fog Ransomware

131
Global rank
83 infographic chevron month
Month rank
132 infographic chevron week
Week rank
0
IOCs

Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.

Ransomware
Type
Unknown
Origin
1 April, 2024
First seen
11 February, 2025
Last seen

How to analyze Fog Ransomware with ANY.RUN

Type
Unknown
Origin
1 April, 2024
First seen
11 February, 2025
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Instant URL Analysis: Use Safebrowsing via AN...
watchers 538
comments 0
post image
Cyber Attacks on DeepSeek AI: What Really Hap...
watchers 1407
comments 0
post image
Release Notes: System Updates, New YARA and S...
watchers 4983
comments 0

What is Fog malware?

Fog is a ransomware that was first noticed in April 2024 actively using compromised virtual private network (VPN) credentials to gain access to organization networks. It started with attacking educational and recreational sectors, later expanding on financial and manufacturing industries.

Fog turned out to be capable of encrypting files with alarming speed: the shortest time observed was 2 hours after appearing in the network. It encrypts data on the device and any mounted shares adding extensions such as .fog, .ffog, .flocked to the affected files.

Fog Ransomware note in the ANY.RUN Sandbox Fog analysis session the ANY.RUN sandbox and its ransom note

After infiltrating a network, Fog explores it to understand its topology and identify critical assets. Further it escalates privileges and moves laterally across the network to establish a strong foothold into it. Before encryption, valuable data gets exfiltrated to be used for double extortion tactics.

The malware generates a .txt note demanding a ransom for decrypting files and avoiding the publication of sensitive data.

Fog counters recovery efforts, deletes system volume shadow copies, and avoids detection both by security software and by users observing disruptions in the system’s functioning.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Fog malware

Fog is equipped with extensive capabilities:

  • For infiltration, uses compromised VPN credentials.
  • For Linux-based endpoints, weak SSH passwords or misconfigured network services are also exploited.
  • Once in the network, performs "pass-the-hash" attacks on administrator accounts, which are used to establish RDP connections to Windows servers running Hyper-V.
  • Disables Windows Defender to prevent alerting the victim before the execution of the encrypter.
  • Calls Windows API to gather information about the network, such as the number of available logical processors to allocate threads for a multi-threaded encryption routine.
  • Exploits Linux privilege escalation vulnerabilities (e.g., Dirty Pipe or Sudo-related flaws), misconfigured sudo privileges, or local exploits.
  • Establishes persistence by adding malicious system tasks, modifying startup scripts, or planting backdoors in binaries.
  • Terminates security services and processes from a list encoded in its config.
  • Attackers use legitimate remote access tools like AnyDesk to establish command-and-control (C2) communication.
  • A ransom note is copied to the affected directories. It contains a link to a Tor website with a chat interface for negotiations.

The Execution process of Fog

To see how Fog infects a system, we can upload its sample to ANY.RUN's Interactive Sandbox, which provides a safe virtual environment for detonating and analyzing malware and phishing threats.

Fog Ransomware MITRE in the ANY.RUN Sandbox TTP matrix of a Fog attack via Interactive Sandbox

Fog ransomware operates via a sophisticated execution chain that begins with the initial compromise of a target system. Attackers gain access by exploiting known vulnerabilities or purchasing compromised credentials from Initial Access Brokers.

Fog Ransomware process in the ANY.RUN Sandbox Fog’s malicious process that encrypts data and deletes copies viewed in ANY.RUN’s sandbox

Once inside the network, they conduct reconnaissance, scanning for valuable data and identifying potential encryption targets. This phase is crucial because it allows the attackers to map out the network and establish lateral movement paths to propagate the ransomware effectively.

Once executed, the malware begins encrypting files on both the local system and any mounted shares, appending extensions such as .fog, .ffog, or .flocked, making it evident the files have been compromised.

Additionally, it maintains a whitelist of files and directories to avoid rendering the system unusable, which could alert victims to its presence before it completes encryption. This careful planning allows the attackers to maximize damage while minimizing detection.

As part of its protocol, Fog generates a ransom note named readme.txt, which is distributed across affected systems. This note typically includes an introduction to the Fog group, details about the encryption process, and instructions on how victims can contact the attackers and arrange payment.

The speed at which Fog ransomware can execute its entire chain — from initial access to file encryption — is alarmingly rapid; some reports indicate that the process can occur in as little as two hours.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Threat Intelligence on Fog Ransomware

Gather Fog’s artifacts, IOCs, and TTPs to arm your defenses with fresh data backed by a community of security experts. You can get a list of sandbox reports featuring the most recent analyses of Fog samples.

TI Lookup from ANY.RUN supports over 40 search parameters, including IPs, domains, and file names.

Fog Ransomware search results the ANY.RUN's TI Lookup Fog analysis sessions listed by ANY.RUN’s Threat Intelligence Lookup

Use the threat name or related data like hash values or network connections as search queries to understand the malware's behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of Fog

For infiltration, it uses compromised VPN credentials leaked from at least two different VPN gateway vendors and bought on the dark market, weak SSH passwords, or misconfigured network services. Brute force attacks against remote desktop protocol (RDP) are also employed.

Use threat intelligence services like TI Lookup by ANY.RUN to gather relevant IOCs for setting up early detection and alerts in your security infrastructure.

Conclusion

Fog is a dangerous and sophisticated ransomware that promises companies operational disruption, financial losses and long-term damages to their business.

It accesses corporate networks by exploiting compromised VPN credentials. Fog strikes rapidly, and preventive measures must be taken to avoid an attack. Keep your security systems up to date and fine-tuned against topical attacks, use tools like ANY.RUN’s TI Lookup and Sandbox to gather threat intelligence and enforce your protection.

Sign up for a free ANY.RUN account to strengthen your security posture!

HAVE A LOOK AT

DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Arechclient2 screenshot
Arechclient2
arechclient2
The Arechclient2 malware is a sophisticated .NET-based Remote Access Trojan (RAT) that collects sensitive information, such as browser credentials, from infected computers. It employs various stealth techniques, including Base64 encoding to obscure its code and the ability to pause activities to evade automated security tools. The malware also can adjust Windows Defender settings and uses code injection to manipulate legitimate processes.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More