Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Fog Ransomware

163
Global rank
147 infographic chevron month
Month rank
162 infographic chevron week
Week rank
0
IOCs

Fog is a ransomware strain that locks and steals sensitive information both on Windows and Linux endpoints. The medial ransom demand is $220,000. The medial payment is $100,000. First spotted in the spring of 2024, it was used to attack educational organizations in the USA, later expanding on other sectors and countries. Main distribution method — compromised VPN credentials.

Ransomware
Type
Unknown
Origin
1 April, 2024
First seen
10 June, 2026
Last seen

How to analyze Fog Ransomware with ANY.RUN

Type
Unknown
Origin
1 April, 2024
First seen
10 June, 2026
Last seen

IOCs

Last Seen at

Recent blog posts

post image
Hidden Infrastructure Exposed: ANY.RUN Reveal...
watchers 4232
comments 0
post image
​​Kratos PhaaS Targets US and EU: How to Redu...
watchers 8849
comments 0
post image
US Threat Landscape Alert: 30 Active Malware...
watchers 7132
comments 0

What is Fog malware?

Fog is a ransomware that was first noticed in April 2024 actively using compromised virtual private network (VPN) credentials to gain access to organization networks. It started with attacking educational and recreational sectors, later expanding on financial and manufacturing industries.

Fog turned out to be capable of encrypting files with alarming speed: the shortest time observed was 2 hours after appearing in the network. It encrypts data on the device and any mounted shares adding extensions such as .fog, .ffog, .flocked to the affected files.

Fog Ransomware note in the ANY.RUN Sandbox Fog analysis session the ANY.RUN sandbox and its ransom note

After infiltrating a network, Fog explores it to understand its topology and identify critical assets. Further it escalates privileges and moves laterally across the network to establish a strong foothold into it. Before encryption, valuable data gets exfiltrated to be used for double extortion tactics.

The malware generates a .txt note demanding a ransom for decrypting files and avoiding the publication of sensitive data.

Fog counters recovery efforts, deletes system volume shadow copies, and avoids detection both by security software and by users observing disruptions in the system’s functioning.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Technical details of Fog malware

Fog is equipped with extensive capabilities:

  • For infiltration, uses compromised VPN credentials.
  • For Linux-based endpoints, weak SSH passwords or misconfigured network services are also exploited.
  • Once in the network, performs "pass-the-hash" attacks on administrator accounts, which are used to establish RDP connections to Windows servers running Hyper-V.
  • Disables Windows Defender to prevent alerting the victim before the execution of the encrypter.
  • Calls Windows API to gather information about the network, such as the number of available logical processors to allocate threads for a multi-threaded encryption routine.
  • Exploits Linux privilege escalation vulnerabilities (e.g., Dirty Pipe or Sudo-related flaws), misconfigured sudo privileges, or local exploits.
  • Establishes persistence by adding malicious system tasks, modifying startup scripts, or planting backdoors in binaries.
  • Terminates security services and processes from a list encoded in its config.
  • Attackers use legitimate remote access tools like AnyDesk to establish command-and-control (C2) communication.
  • A ransom note is copied to the affected directories. It contains a link to a Tor website with a chat interface for negotiations.

The Execution process of Fog

To see how Fog infects a system, we can upload its sample to ANY.RUN's Interactive Sandbox, which provides a safe virtual environment for detonating and analyzing malware and phishing threats.

Fog Ransomware MITRE in the ANY.RUN Sandbox TTP matrix of a Fog attack via Interactive Sandbox

Fog ransomware operates via a sophisticated execution chain that begins with the initial compromise of a target system. Attackers gain access by exploiting known vulnerabilities or purchasing compromised credentials from Initial Access Brokers.

Fog Ransomware process in the ANY.RUN Sandbox Fog’s malicious process that encrypts data and deletes copies viewed in ANY.RUN’s sandbox

Once inside the network, they conduct reconnaissance, scanning for valuable data and identifying potential encryption targets. This phase is crucial because it allows the attackers to map out the network and establish lateral movement paths to propagate the ransomware effectively.

Once executed, the malware begins encrypting files on both the local system and any mounted shares, appending extensions such as .fog, .ffog, or .flocked, making it evident the files have been compromised.

Additionally, it maintains a whitelist of files and directories to avoid rendering the system unusable, which could alert victims to its presence before it completes encryption. This careful planning allows the attackers to maximize damage while minimizing detection.

As part of its protocol, Fog generates a ransom note named readme.txt, which is distributed across affected systems. This note typically includes an introduction to the Fog group, details about the encryption process, and instructions on how victims can contact the attackers and arrange payment.

The speed at which Fog ransomware can execute its entire chain — from initial access to file encryption — is alarmingly rapid; some reports indicate that the process can occur in as little as two hours.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Threat Intelligence on Fog Ransomware

Gather Fog’s artifacts, IOCs, and TTPs to arm your defenses with fresh data backed by a community of security experts. You can get a list of sandbox reports featuring the most recent analyses of Fog samples.

TI Lookup from ANY.RUN supports over 40 search parameters, including IPs, domains, and file names.

Fog Ransomware search results the ANY.RUN's TI Lookup Fog analysis sessions listed by ANY.RUN’s Threat Intelligence Lookup

Use the threat name or related data like hash values or network connections as search queries to understand the malware's behavior.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Distribution methods of Fog

For infiltration, it uses compromised VPN credentials leaked from at least two different VPN gateway vendors and bought on the dark market, weak SSH passwords, or misconfigured network services. Brute force attacks against remote desktop protocol (RDP) are also employed.

Use threat intelligence services like TI Lookup by ANY.RUN to gather relevant IOCs for setting up early detection and alerts in your security infrastructure.

Conclusion

Fog is a dangerous and sophisticated ransomware that promises companies operational disruption, financial losses and long-term damages to their business.

It accesses corporate networks by exploiting compromised VPN credentials. Fog strikes rapidly, and preventive measures must be taken to avoid an attack. Keep your security systems up to date and fine-tuned against topical attacks, use tools like ANY.RUN’s TI Lookup and Sandbox to gather threat intelligence and enforce your protection.

Sign up for a free ANY.RUN account to strengthen your security posture!

HAVE A LOOK AT

Phobos screenshot
Phobos
phobos ransomware
Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
FatalRAT screenshot
FatalRAT
fatalrat
FatalRAT is a malware that gives hackers remote access and control of the system and lets them steal sensitive information like login credentials and financial data. FatalRAT has been associated with cyber espionage campaigns, particularly targeting organizations in the Asia-Pacific (APAC) region.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Neptune RAT screenshot
Neptune RAT is a Visual Basic .NET remote access trojan that gives attackers full control over infected Windows machines while stealing credentials from 270+ applications, hijacking cryptocurrency transactions, spying on victims in real time, and, in its most destructive mode, wiping the operating system entirely. Marketed openly on GitHub, Telegram, and YouTube as the "Most Advanced RAT," it is distributed under a malware-as-a-service model.
Read More
Miolab Stealer screenshot
Miolab Stealer is a macOS malware threat designed to steal user credentials and sensitive files without raising immediate suspicion. It relies on fake system prompts and legitimate built-in tools to make malicious actions look routine. Instead of causing obvious disruption, it quietly collects valuable data and prepares it for exfiltration from the device. By blending deception with trusted macOS behavior, it increases the chance that the attack will go unnoticed in its early stages. This makes early behavioral detection critical before the theft of credentials and files is complete.
Read More