Frag
Frag is a previously undocumented ransomware family observed by Sophos X-Ops in late 2024 and associated with threat activity cluster STAC 5881. In the reported incidents, the operators gained initial access via compromised VPN appliances and then exploited Veeam Backup & Replication remote code execution vulnerability CVE-2024-40711 on backup servers. The same cluster had previously deployed Akira and Fog ransomware, and Sophos and Agger Labs noted that Frag-related tradecraft overlaps with tactics seen in Akira- and Fog-associated activity, suggesting either a new ransomware actor using similar methods or operational overlap. In the Frag case, the attackers used the Veeam flaw to create local administrator accounts named "point" and "point2". Frag is a command-line ransomware that requires a parameter specifying the percentage of file encryption, supports targeting specific directories or individual files, and appends the .frag extension to encrypted files. Sophos reported that its CryptoGuard feature blocked Frag in the observed incident and that detection for the Frag binary was subsequently added. Reporting also characterizes Frag as a cheaply produced "junk gun" ransomware, possibly self-developed by criminals or acquired from an underground marketplace for roughly $375. High-confidence indicators and artifacts mentioned in the content include exploitation of CVE-2024-40711, creation of local accounts "point" and "point2," and encrypted files bearing the .frag extension. Targeting in the cited reporting centers on organizations running Veeam backup infrastructure, which ransomware actors commonly attack to enable lateral movement, data theft, and disruption of recovery by deleting or compromising backups.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The vulnerability, CVE-2024-40711, was used as part of a threat activity cluster we named STAC 5881. Attacks leveraged compromised VPN appliances for access and used the VEEAM vulnerability to create a new local administrator account named “point”. Some cases in this cluster led to the deployment of Akira or Fog ransomware. | In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called “Frag”.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
1 technique
Execution
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware reported to have exploited a Veeam Backup & Replication (VBR) remote code execution vulnerability as part of attacks starting in October 2024.
Previously undocumented ransomware executed from the command line with parameters including a required file-encryption percentage; attackers can specify directories or individual files to encrypt, and encrypted files receive a .frag extension.
Ransomware that is executed from the command line with parameters including a required file-encryption percentage; attackers can specify directories or individual files to encrypt, and encrypted files receive a .frag extension.
Ransomware operation referenced as low-volume persistent activity in Q2 2025 (no additional detail provided).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.