Fog

Fog ransomware is a ransomware family first observed in May 2024 and active through at least 2025. Reporting consistently describes it as a new ransomware strain, with some sources characterizing it as a variant of STOP/DJVU. It has been associated with double extortion in multiple reports, though early Arctic Wolf cases in May 2024 noted no observed data exfiltration. Fog has been linked operationally with Akira in several investigations, including shared tradecraft, overlapping infrastructure, and common exploitation of edge and backup technologies; one report also states Fog was distributed by Storm-0844, which has also propagated Akira.

Observed targeting includes U.S. education and recreation organizations, with Arctic Wolf reporting early May 2024 cases concentrated in those sectors, and Kroll reporting heavy targeting of higher education in the United States. Other reporting places Fog in broader opportunistic intrusions across multiple industries, including a financial institution in Asia where attackers deployed Fog alongside AdaptixC2. CERT Intrinsec also observed Fog among ransomware families affecting French organizations in 2025.

Initial access has repeatedly involved compromised or stolen VPN credentials and SSL VPN access. Multiple reports tie Fog intrusions to SonicWall SSL VPN accounts, with Arctic Wolf observing at least 30 Akira/Fog intrusions from early August through mid-October 2024 where SonicWall SSL VPN was early in the kill chain. Fog has also been linked to exploitation or abuse of SonicWall SonicOS CVE-2024-40766, including credential harvesting from SonicWall SSL VPN firewalls. Additional reporting links Fog attacks to exploitation of Veeam Backup & Replication servers via CVE-2024-40711, including Sophos tracking of cluster STAC 5881, where compromised VPN appliances were used for access and the Veeam flaw was used to create a local administrator account named "point" before deployment of Fog or Akira. Separate reporting states Akira and Fog used the Veeam flaw starting in October 2024.

Post-compromise behavior described across the sources includes pass-the-hash, brute forcing or credential stuffing of additional accounts, extraction of credentials from browsers and NTDS.dit, use of RDP for persistence, creation of new accounts, and use of tools such as PsExec, Metasploit, SoftPerfect Network Scanner, Advanced Port Scanner, SharpShares, Rclone, WinSCP, FileZilla, reverse SSH shells, and Veeam-Get-Creds.ps1. In some incidents, attackers disabled Windows Defender, deleted firewall logs, and used vssadmin.exe to delete shadow copies. Fog operators were reported to focus on virtual machine infrastructure and backups, including Hyper-V, VMware ESXi, and Veeam systems.

The ransomware itself has been described as encrypting a broad range of files, including VMDKs, deleting Veeam backups and Windows Volume Shadow Copies, appending .FOG or .FLOCKED extensions, and dropping a ransom note typically named "readme.txt" with a Tor-based negotiation site and chat interface. Arctic Wolf additionally reported a JSON configuration controlling encryption behavior, ransom note names, service shutdowns, and configured extensions. One report noted the payload creates DbgLog.sys in %AppData% and references NTDLL.DLL and NtQuerySystemInformation. Command-line options observed include NOMUTEX, TARGET, and CONSOLE. Encryption was described as using symmetric encryption with the symmetric key protected by asymmetric encryption.

Operationally, Fog has been characterized as fast-moving. Arctic Wolf reported encryption sometimes began within 1.5 to 2 hours of initial SSL VPN access, and other reporting states some Fog intrusions achieved full network encryption in under four hours. Known indicators and artifacts directly mentioned in the content include the local administrator account name "point" created in some Veeam-related intrusions, file extensions .FOG and .FLOCKED, ransom note name "readme.txt," creation of DbgLog.sys in %AppData%, and use of SonicWall log event IDs 238, 1080, and 1079 in observed SSL VPN intrusions.