On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector.

We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.

About Fog Ransomware

Starting in early May, the Arctic Wolf Incident Response team began investigating cases involving the deployment of the Fog ransomware variant against US organizations in the education and recreation sectors.

We refer to Fog as a ransomware variant rather than a group to distinguish between the entities responsible for creating the encryptor software and those conducting the hands-on-keyboard attacks against victims. This is a critical distinction because ransomware groups sometimes project an image of being a singular group when they are in fact composed of independent affiliate groups. At this time, the organizational structure of the group or groups responsible for carrying out attacks deploying Fog ransomware is unknown.

In each of the cases investigated, forensic evidence indicated that threat actors were able to access victim environments by leveraging compromised VPN credentials. Notably, the remote access occurred through two separate VPN gateway vendors. The last documented threat activity in our cases occurred on May 23, 2024.

Early in one of the cases, pass-the-hash activity was observed against administrator accounts which were subsequently used to establish RDP connections to Windows Servers running Hyper-V and Veeam. In another case, evidence of credential stuffing was observed, which was thought to facilitate lateral movement throughout the environment. In all cases, PsExec was deployed to several hosts, and RDP/SMB were used to access targeted hosts.

On Windows Servers that the threat actors interacted with, Windows Defender was disabled by the threat actors. Threat actors were observed encrypting VMDK files in VM storage and deleting backups from object storage in Veeam. Threat actors left behind ransom notes on affected systems and deployed a functionally identical ransomware payload in all cases. Other than a unique chat code, the ransom notes were identical. Other than the .onion address used for communication between the victim and threat actor, we have not observed an additional dark web presence such as a data leak site.

Technical Analysis

Ransomware Payload

The ransomware encryptor binary exhibits common techniques that are typically leveraged in other ransomware variants. The samples we analyzed from different cases contained many similarities, including identical functional code blocks and instructions, indicating that they were compiled from the same source code.

When the sample first executes, it attempts to create a new file called DbgLog.sys in the special directory %AppData%. The DbgLog.sys file is populated with log lines indicating the status and error conditions of the ransomware as each technique is executed.

During the initialization routine, the sample references NTDLL.DLL and the function NtQuerySystemInformation. Notably, the NT API is part of the Windows internal APIs and is typically recommended not to be called directly since it can change with each version of Windows. The NtQuerySystemInformation function allows the caller to obtain information about the current system’s physical details such as the number of logical processors available. This information can be useful when determining how many threads the multi-threaded encryption routine should allocate.

Once the initialization routine is complete, the command line arguments are checked for specific options:

  • NOMUTEX: Does not create a mutex, this will allow multiple versions of the ransomware to execute at the same time.
  • TARGET: Specific location to begin discovery.
  • CONSOLE: Create a new console window for the calling process and attach the standard output and error.

Further customization is present in the sample via a JSON based configuration block. The following configurable options will control what activities takes place pre and post encryption:

  • RSAPubKey: Embedded public key used for encryption
  • LockedExt: Post encryption file extension
  • NotefileName: Name of the ransomware note
  • ShutdownProcesses: Ensures the processes are terminated prior to encrypting
  • ShutdownServices: Ensures the services are stopped prior to encrypting

Volumes, network resources, and files are discovered using the standard Windows APIs such as: FindFirstVolume, WNetOpenEnum and FindFirstFile. The Unicode variants of these functions were used in each case.

Using the system information discovered earlier, the sample configures a thread pool dedicated to encrypting all the discovered files. This thread pool uses the logical processor information with a minimum number of two processors and a maximum number of sixteen processors. The deprecated Windows APIs for CryptImportKey and the CryptEncrypt are called during the process.

Once the encryption is complete, the file extension is added to each file using the Unicode version of the MoveFile Windows API and the LockedExt option, in the cases observed the extensions .FOG and .FLOCKED were configured.  A ransom note is written to the disk using the configured Notefilename option located in the configuration block, in the cases observed the note file was named readme.txt.

Before the sample terminates, the volume shadow copy is deleted by creating a new process via the CreateProcess function with the command line: vssadmin.exe delete shadows /all /quiet. By deleting the volume shadow copy using the /all switch, the sample will delete all the specified volume’s shadow copies, and the /quiet switch will ensure no messages are displayed during the deletion.

Tactics, Techniques, and Procedures (TTPs)

Tactic Technique Sub-techniques or Tools
Initial Access T1133: External Remote Services  
T1078: Valid Accounts • Compromised VPN Credentials
Discovery T1046: Network Service Discovery • SoftPerfect Network Scanner
• Advanced Port Scanner
T1135: Network Share Discovery • SharpShares
Lateral Movement T1021: Remote Services • T1021.001: Remote Desktop Protocol
• T1021.002: SMB/Windows Admin Shares
T1570: Lateral Tool Transfer • PsExec
Credential Access T1003: OS Credential Dumping • T1003.003: NTDS
T1555: Credentials from Password Stores • PowerShell script (Veeam-Get-Creds.ps1) to obtain passwords from the Veeam Backup and Replication Credentials Manager
T1110: Brute Force • T1110.004: Credential Stuffing
Persistence T1136: Create Account • T1136.001: Local Account (Administrator)
Execution T1059: Command and Scripting Interpreter • T1059.003: Windows Command Shell
T1569: System Services • T1569.002: Service Execution (PsExec)
Defense Evasion T1562: Impair Defenses • T1562.001: Disable or Modify Tools (Windows Defender/AV)
T1550: Use Alternate Authentication Material • T1550.002: Pass the Hash
T1078: Valid Accounts  
T1140: Deobfuscate/Decode Files or Information  
T1070: Indicator Removal • T1070.004: File Deletion
Impact T1486: Data Encrypted for Impact  
T1490: Inhibit System Recovery • vssadmin.exe used to delete volume shadow copies on the system
T1489: Service Stop  


Name Description
PsExec A tool that allows threat actors to execute processes on other systems with full interactivity for console applications. The threat actor leveraged PsExec to move laterally and execute commands.
Metasploit Penetration testing framework. Metasploit usage was detected against a Veaam server.
SoftPerfect Network Scanner Network administration tool for Windows, macOS, and Linux. The threat actor used SoftPerfect to discover network services.
Advanced Port Scanner Free network and port scanner. The threat actor used Advanced Port Scanner to discover network services.
SharpShares An open-source tool used to enumerate accessible network shares. The threat actor used SharpShares v2.3 to discover network shares.
Veeam-Get-Creds.ps1 An open-source PowerShell script used by the threat actor to obtain passwords from the Veeam Backup and Replication Credentials Manager

How Arctic Wolf Protects Its Customers

Arctic Wolf is committed to ending cyber risk with its customers, and when active ransomware campaigns are identified we move quickly to protect our customers.

Arctic Wolf Labs has leveraged threat intelligence around Fog ransomware to implement new detections in the Arctic Wolf Platform to protect Managed Detection and Response (MDR) customers. As we discover any new information, we will enhance our detections to account for additional indicators of compromise and techniques leveraged by this threat actor.


While few details are known about the threat actors involved, the shared functional code blocks between ransomware payloads suggest that the same source code was shared between the payloads. This may implicate the involvement of a common entity between the cases. On the other hand, despite similarities, evidence tying together the cases under a single threat actor is not conclusive.

The threat actors in the cases described here show an interest in rapid encryption of VM storage data and ransom payment for decryption of that data. Diverging from common practice in most ransomware intrusions, the threat actors were not observed to exfiltrate data from hosts being encrypted.

Considering the short duration between initial intrusion and encryption, the threat actors appear more interested in a quick payout as opposed to exacting a more complex attack involving data exfiltration and a high-profile leak site. This evidence, along with known victimology, suggests that the threat actors are financially motivated and primarily target the education sector.

Although the tactics employed in these cases are fairly typical of ransomware activity, these threats serve as a reminder of the importance of secure, off-site backup infrastructure and defense-in-depth to render attacks impotent as early as possible.


Indicators of Compromise (IoCs)

Indicator Type Description
f7c8c60172f9ae4dab9f61c28ccae7084da90a06 SHA1 Fog ransomware binary (lck.exe)
507b26054319ff31f275ba44ddc9d2b5037bd295 SHA1 Fog ransomware binary (locker_out.exe)
e1fb7d15408988df39a80b8939972f7843f0e785 SHA1 Fog ransomware binary (fs.exe)
83f00af43df650fda2c5b4a04a7b31790a8ad4cf SHA1 Fog ransomware binary (locker_out.exe)
44a76b9546427627a8d88a650c1bed3f1cc0278c SHA1 Fog ransomware binary (mon.dll)
eeafa71946e81d8fe5ebf6be53e83a84dcca50ba SHA1 PsExec (psexesvc.exe)
763499b37aacd317e7d2f512872f9ed719aacae1 SHA1 Advanced Port Scanner (advanced_port_scanner.exe)
3477a173e2c1005a81d042802ab0f22cc12a4d55 SHA1 Advanced Port Scanner (advanced_port_scanner_2.5.3869.exe)
90be89524b72f330e49017a11e7b8a257f975e9a SHA1 SharpShares (sharpshares(1).exe)
DESKTOP-7G1IC87 Hostname Threat actor’s hostname
Kali Hostname Threat actor’s hostname
VPS65CCB8B75352 Hostname Threat actor’s hostname
PACKERP-VUDV41R Hostname Threat actor’s hostname
readme.txt Filename Ransom note
DBgLog.sys Filename Log file created by ransomware binary
Veeam-Get-Creds.ps1 Filename PowerShell script used to obtain passwords from Veeam Backup and Replication Credentials Manager
PSEXESVC.exe Filename PsExec
netscan.exe Filename SoftPerfect Network Scanner
.flocked File Extension Appended file extension to encrypted files
.fog File Extension Appended file extension to encrypted files
5.230.33[.]176 IP Address IP address used by the threat actor to login to VPN appliance
77.247.126[.]200 IP Address IP address used by the threat actor to login to VPN appliance
107.161.50[.]26 IP Address IP address used by the threat actor to login to VPN appliance

Detection Opportunities


The Veeam-Get-Creds.ps1 PowerShell script includes the following strings:


Detecting occurrences of all 3 strings in PowerShell script block logging may be able to identify usage of this tool.

As part of our Managed Detection and Response service, Arctic Wolf has detections in place for this technique, in addition to other techniques employed by this threat actor.

Additional Resources

Get forward-thinking insights along with practical guidance you can apply to your organization in the Arctic Wolf Labs 2024 Threat Report.

Learn what’s new, what’s changed, and what’s ahead for the cybersecurity landscape, with insights from 1,000 global IT and security leaders in the Arctic Wolf State of Cybersecurity: 2024 Trends Report.

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence, including machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings. With their deep domain knowledge, Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.


Stefan Hostetler

Stefan is a Senior Threat Intelligence Researcher at Arctic Wolf. With over a decade of industry experience under his belt, he focuses on extracting actionable insight from novel threats to help organizations protect themselves effectively.

Steven Campbell

Steven Campbell is a Lead Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.

Christopher Prest

Christopher is a Lead Security Researcher and a 17-year veteran in Software and Application security development, coupled with 2 years of cutting edge detection engineering and security research. A seasoned expert, Christopher focuses on Malware analysis and reverse engineering to shape the future of cybersecurity.

Connor Belfiore

Connor Belfiore is a Senior Threat Intelligence Analyst at Arctic Wolf Incident Response. He has more than five years of experience in threat intelligence, financial crimes investigation, and blockchain analysis.

Markus Neis

Markus Neis is a Principal Threat Intelligence Researcher in Arctic Wolf Labs focused on leading advanced threat research. He has more than a decade of experience in researching adversary tradecraft and responding to sophisticated attacks.

Joe Wedderspoon

Joe Wedderspoon is a Sr. Forensic Analyst at Arctic Wolf Incident Response, focused on leading complex incident response and digital forensic investigations. He holds multiple certifications and has over 6 years of operational experience in incident response, defensive cyber operations, and researching adversary tradecraft in both the public and private sectors.

Rick McQuown

Rick McQuown is a senior forensic Analyst at Arctic Wolf Incident Response and a 22-year veteran of digital forensic investigations specializing in full disk image forensics. Over the years, Rick has trained hundreds of forensic practitioners in advanced forensics, including EnCase and Memory Forensics.

Picture of Stefan Hostetler, Steven Campbell, Christopher Prest, Connor Belfiore, Markus Neis, Joe Wedderspoon, Rick McQuown and Arctic Wolf Labs Team

Stefan Hostetler, Steven Campbell, Christopher Prest, Connor Belfiore, Markus Neis, Joe Wedderspoon, Rick McQuown and Arctic Wolf Labs Team

Share :
Table of Contents
Subscribe to our Monthly Newsletter