Threat Profile: Understanding FOG Ransomware

In 2024, law enforcement agencies ramped up their operations against cybercrime, striking hard at sophisticated ransomware groups and disrupting major dark web operations.

High-profile actions, including Operation Cronos against LockBit, the dismantling of Warzone RAT infrastructure, the seizure of the Nemesis darknet marketplace, and the shutdown of Russian communications networks, redefined the global fight against illicit cyber activities.
Against this backdrop, new ransomware groups and strains continue to emerge. One such threat is FOG ransomware. First detected in April 2024, FOG ransomware was observed targeting US educational institutions, taking advantage of under-resourced IT departments and compromised VPN systems.

More recently, researchers have observed a shift in how FOG is being used, with a shift of focus toward financial businesses. Financial institutions, which handle highly sensitive data and cannot endure extended downtime without repercussions, represent an attractive target.

How FOG Ransomware Operates

FOG functions as a multi-faceted extortion tool, that utilises a TOR-based data leak site to publicise victim lists and host data from organisations that do not meet the threat actor’s ransom demands.

FOG ransomware binaries are available for both Windows and Linux platforms. The Linux versions are tailored for virtual environments—targeting file formats such as VMSD and VMDK—and include payloads that attempt to terminate processes specific to virtualised systems.

In contrast, the Windows binary variants focus on eliminating volume shadow copies using traditional methods such as utilities like vssadmin.exe and feature a configuration section in JSON format.

FOG offers operators the flexibility to customise critical parameters, including the file extension appended to encrypted files, the naming of ransom notes, the specific processes and services to be terminated, and the RSA public key used during encryption.

FOG’s Tactics

Threat actors using FOG rely heavily on third‐party tools and cloud services to perform data exfiltration and supports double extortion through its leak site. FOG’s activity indicates a preference for fast execution, with little dwell time before encryption begins.

Key tactics include:
• Initial Access: The group targets weak or stolen VPN credentials to breach network defences.
• Privilege Escalation: Pass‐the‐hash attacks are used to gain administrative control.
• Defence Evasion: Security tools such as Windows Defender are disabled to avoid detection.
• Encryption and Disruption: Files are encrypted—often with extensions like “.FOG” or “.FLOCKED”—while backups and volume shadow copies are deleted to hinder recovery.
• Ransom Note Deployment: Infected systems receive a “readme.txt” file with instructions for negotiation via a Tor site.

How to Defend Against FOG Ransomware

To mitigate the threat posed by FOG ransomware, organisations must implement a robust, multi-layered security strategy. Here are recommendations from Adarma’s Threat Intelligence Team:

Reinforce Authentication:
Mandate multi-factor authentication for all user accounts, particularly for remote access endpoints, to prevent unauthorised entry even if login details are compromised.

Keep Systems Current:
Consistently apply security patches to all software and network tools, including VPN systems, to close vulnerabilities that attackers might exploit.

Educate Your Workforce:
Regularly train employees on recognising phishing attempts and other social engineering tactics. An informed team is key to reducing the risk of initial compromise.

Deploy Advanced Endpoint Security:
Utilise modern endpoint detection and response solutions that can swiftly identify and neutralise suspicious activity, such as lateral movement and data exfiltration.

Segment and Secure Networks:
Divide your network into isolated segments and adopt a Zero Trust framework. This limits the spread of an infection and ensures continuous verification of every device and user.

Conduct Regular, Secure Backups:
Perform frequent backups of essential data and store these copies in secure, offline locations. This provides a recovery path without the need to pay a ransom.

Monitor for Anomalies:
Continuously track network traffic to spot irregular communication patterns or interactions with known malicious servers, enabling early detection and intervention.

Restrict Administrative Access:
Limit admin privileges to only those who absolutely require them, and routinely review access rights to minimise opportunities for privilege escalation.

Prepare a Response Plan:
Develop a detailed incident response strategy for ransomware events and test it regularly to ensure rapid and effective recovery in the event of an attack.

Integrate Advanced Security Tools:
Leverage AI-driven analytics, Extended Detection and Response (XDR), and Security Information and Event Management systems to enhance your organisation’s ability to detect and respond to threats in real time.

How Adarma Can Help

Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. We protect organisations in the FTSE 350, including those in CNI and other regulated sectors. We offer effective threat detection and incident response, acting as an extension of your team to enhance your security posture and optimise your security investments for maximum risk reduction.

Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations catering to our customers’ security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.

Let’s Talk

If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.

To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.

You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.

Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.