Fog

Fog is a ransomware threat actor/operation first observed in May 2024, with activity beginning in Q1 2024 and increasing in Q2 2024. Reporting describes Fog as a new ransomware group that heavily targeted U.S. higher education institutions and, by January 2025, had claimed 100 victims, notably in technology, education, manufacturing, and transportation. Fog is described as an active and rapidly evolving ransomware threat, with some reporting noting likely recruitment of affiliates from BlackCat and LockBit. Fog conducts double extortion, using third-party tools and cloud services for data exfiltration and threatening publication on its data leak site if victims do not pay. Its ransomware has been observed encrypting a wide range of files, including VMDKs, deleting Veeam backups and Windows Volume Shadow Copies, and appending .FOG or .FLOCKED extensions. It typically drops a ransom note named readme.txt that directs victims to a Tor-based negotiation site with chat functionality. Kroll reported that an analyzed Fog sample lacked built-in exfiltration and persistence mechanisms, indicating those functions are handled outside the core encryptor. Observed Fog tradecraft includes initial access via compromised VPN credentials and valid accounts, especially SonicWall SSL VPN accounts, as well as exploitation of vulnerabilities affecting SonicWall SonicOS and Veeam Backup & Replication. Content specifically links Fog to exploitation or use of CVE-2024-40766 on SonicWall SonicOS and CVE-2024-40711 on Veeam Backup & Replication. Reporting also states Fog and other ransomware groups have actively exploited previous SonicWall vulnerabilities and that CISA KEV-listed vulnerabilities have been exploited by Fog. In observed intrusions, time from initial access to encryption was often only hours; some documented intrusions achieved full network encryption in under four hours. Post-compromise behavior attributed to Fog includes pass-the-hash, brute forcing user accounts, custom PowerShell scripts, extraction of passwords from browsers and NTDS.dit, RDP-based persistence, possible credential stuffing, creation of new user accounts, use of FileZilla and reverse SSH shells, deployment of Metasploit and PsExec, use of Advanced Port Scanner, SoftPerfect Network Scanner, SharpShares, LOLBins, Mimikatz, secretsdump.py, DPAPI domain backup key extraction, Veeam-Get-Creds.ps1, Rclone, WinSCP, and FileZilla, and deletion of firewall logs and shadow copies. Multiple sources note operational links between Fog and Akira. Chainalysis identified links between Akira and Fog based on shared laundering behavior, and TRM Labs connected Fog with Akira and Frag through shared Defiway bridge laundering infrastructure. Additional reporting states Akira and Fog shared some VPS/IP infrastructure in SonicWall-related intrusions. One source also describes Fog as linked to Akira and Conti. No nation-state attribution is provided in the content. Known alias in the provided content: FOG.