{
	"id": "2397258b-96c7-4e56-8e8f-9ae4b0047350",
	"created_at": "2026-04-06T00:18:13.439115Z",
	"updated_at": "2026-04-10T03:21:40.535836Z",
	"deleted_at": null,
	"sha1_hash": "6070faed2bb79860685e1f59382a56008d9fe35b",
	"title": "FOG Ransomware Targets Higher Education",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 140380,
	"plain_text": "FOG Ransomware Targets Higher Education\r\nBy Sarah Becker, Marc Messer, Dan Cox\r\nPublished: 2024-08-20 · Archived: 2026-04-02 11:14:46 UTC\r\nIn Q2 2024, the Kroll Cyber Threat Intelligence (CTI) Team observed an increase in activity around a new\r\nransomware group named FOG. FOG was initially observed in May 2024, and since then has been heavily\r\ntargeting higher educational institutions in the U.S. by exploiting compromised VPN credentials. Kroll's review of\r\na recent FOG binary (1.exe) found no exfiltration or persistence mechanisms directly integrated. FOG is known to\r\nutilize third-party tools and cloud services for exfiltration during attacks, which have often led to double extortion\r\nto put more pressure on victims to pay the ransom . Double extortion is a tactic leveraged by threat actors where\r\nthey both encrypt and exfiltrate data, increasing the likelihood that a victim will pay their ransom. At the time of\r\nwriting, FOG operates a Data Leak Site where they threaten to post and eventually publish victims’ leaked data if\r\na ransom is not paid.\r\nTTPs\r\nBelow are some key tactics, techniques and procedures (TTPs) the Kroll CTI Team has observed during\r\ninvestigations involving FOG ransomware:\r\nInitial Access\r\nFOG ransomware has been observed leveraging compromised VPN credentials or valid user credentials for initial\r\naccess.\r\nPrivilege Escalation\r\nAfter breaching a network, FOG operators are observed abusing \"pass-the-hash\" attacks on administrator\r\naccounts.  Further, brute forcing of user accounts, custom PowerShell scripts and extracting passwords from user\r\nbrowsers and NT Directory Service (NTDS.dit) are also utilized to escalate privileges.\r\nPersistence\r\nTo maintain persistence, the group establishes Remote Desktop Protocol (RDP) connections on Windows servers.\r\nFOG may also employ credential stuffing to hijack additional user accounts and even create new user accounts\r\nsolely for persistence. They’ve also leveraged FileZilla and reverse SSH Shells to ensure a foothold on the system.\r\nEnumeration\r\nThe group is known to deploy Metasploit and PsExec across multiple hosts. Kroll has also observed the use of\r\nAdvanced Port Scanner, LOLBins, SharpShares and SoftPerfect Network Scanner to gather data.\r\nEvasion\r\nhttps://www.kroll.com/en/insights/publications/cyber/fog-ransomware-targets-higher-education\r\nPage 1 of 3\n\nOn compromised Windows servers, the attackers disabled Windows Defender and multiple processes and services\r\nto avoid detection before deploying the ransomware.\r\nFOG then leveraged Windows API calls to gather system information and terminate further specific processes and\r\nservices. The ransomware encrypts a wide variety of files, including Virtual Machine Disks (VMDKs), and deletes\r\nbackups from Veeam and Windows Volume Shadow copies before appending the .FOG or .FLOCKED extension\r\nto encrypted files.\r\nRansomware\r\nOnce the ransomware has been executed and files have been encrypted, a ransom note, typically named\r\n“readme.txt”, is left in affected directories to provide instructions on how to pay for decryption. The note includes\r\na link to a Tor site for negotiations, which features a chat interface for discussing the ransom and providing proof\r\nof stolen files. Ransom demands vary and may reach multiple hundreds of thousands of dollars  for larger\r\norganizations.\r\nExfiltration\r\nWhen exfiltrating data, the group has been known to leverage 7-Zip, third-party cloud services and WinRAR. \r\nMalware Analysis\r\nOur Malware Analysis and Reverse Engineering Team recently reviewed a Fog binary (1.exe). In this particular\r\nsample, no exfiltration or persistence mechanisms were observed integrated into the binary. The ransomware can\r\nbe executed with a number of flags, such as:\r\nid [string identifying the target]\r\nnomutex [specified so multiple instances of the malware can be run simultaneously]\r\nprocoff [stops processes specified in config under ShutdownProcesses]\r\nuncoff [disables network share enumeration and encryption]\r\nsize [integer, specifies AES block size]\r\nconsole [specifies console output saving to DbgLog.sys]\r\ntarget [path for encryption/enumeration]\r\nWithin the configuration file, several other values can be specified:\r\nRSAPubKey [key used for encryption]\r\nLockedExt [file extension]\r\nNotefileName [ransom note name]\r\nShutdownProcesses [specifies processes to stop prior to encryption]\r\nShutdownServices [specifies services to stop prior to encryption]\r\nWhen executed, the malware goes through a few steps:\r\nA file named DbgLog.sys is created within the directory from which the sample is executed. This file\r\ncontains information about the malware as it executes, saving the console output for debugging\r\nhttps://www.kroll.com/en/insights/publications/cyber/fog-ransomware-targets-higher-education\r\nPage 2 of 3\n\ninformation.\r\nSystem information enumerating the drives and processors available is then queried, and a number of\r\nthreads is assigned accordingly. Shadow volumes are subsequently deleted via “vssadmin.exe delete\r\nshadows /all / quiet”.\r\nDuring execution, the encryption is handled via symmetric encryption. A symmetric key is generated at runtime,\r\nand this encryption key is subsequently encrypted using an asymmetric key. As a result of this process, the threat\r\nactor’s private key is necessary to recover the symmetric key for decryption. Function calls to accomplish this are\r\nlargely handled by resolving functions via the Process Environment Block (PEB), allowing for functionality to be\r\nsomewhat hidden as the pointers for each function can be resolved without directly referencing the API function.\r\nRansom notes named \"readme.txt\" are dropped within each directory containing encrypted files.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/fog-ransomware-targets-higher-education\r\nhttps://www.kroll.com/en/insights/publications/cyber/fog-ransomware-targets-higher-education\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/fog-ransomware-targets-higher-education"
	],
	"report_names": [
		"fog-ransomware-targets-higher-education"
	],
	"threat_actors": [],
	"ts_created_at": 1775434693,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6070faed2bb79860685e1f59382a56008d9fe35b.pdf",
		"text": "https://archive.orkl.eu/6070faed2bb79860685e1f59382a56008d9fe35b.txt",
		"img": "https://archive.orkl.eu/6070faed2bb79860685e1f59382a56008d9fe35b.jpg"
	}
}