LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Fog

Fog Ransomware: Group Profile, Toolset, and Why Education and Financial Services Are Primary Targets

Fog ransomware emerged in mid-2024 and has built one of the most distinctive toolsets in the ransomware-as-a-service landscape — combining legitimate enterprise monitoring software with open-source C2 frameworks and a systematic SonicWall VPN exploitation pattern.

By Ransomware Tracker ·
FogransomwareSonicWallVPNeducationfinanceGC2Adaptixdouble-extortiongroup-profile
Threat Level
8/10
Sectors Targeted
education
finance
healthcare
Ransomware Family
Fog

Overview

Fog ransomware first appeared in the threat intelligence record in May 2024. Within twelve months it had claimed victims across fifteen countries and established itself as one of the more technically distinctive groups operating in the ransomware-as-a-service space. The group is characterised by three things that set it apart from the bulk of contemporary ransomware operators: a systematic initial access methodology built around SonicWall VPN vulnerabilities, an unconventional post-exploitation toolset that avoids Cobalt Strike almost entirely, and a specific focus on education and financial services as primary target sectors.

Initial Access: SonicWall VPN Exploitation

Fog’s initial access methodology is more systematic than most RaaS affiliates. Rather than broad opportunistic exploitation or purchasing access from brokers, Fog has consistently targeted organisations using SonicWall SSL-VPN products, specifically exploiting compromised SonicWall VPN credentials acquired through credential markets and credential stuffing campaigns.

The group’s tooling includes automated scripts that validate SonicWall credentials against internet-exposed SSL-VPN endpoints. Once valid credentials are identified, the group authenticates via VPN and has an effectively trusted network position from which post-exploitation begins.

This approach has two advantages from the attacker’s perspective: VPN authentication is inherently legitimate-looking (it’s designed to allow remote access), and the dwell time before detection is typically longer because initial access via VPN doesn’t trigger the same detection rules as exploiting a vulnerability.

Organisations using SonicWall products should cross-reference their VPN authentication logs against the Fog IOC sets published by Cyble, CrowdStrike, and Halcyon. Leaked SonicWall credential datasets have been circulating since the SonicWall credential database exposure in 2024.

Post-Exploitation Toolset

Fog’s toolset is the most distinctive aspect of its operation. Where the majority of ransomware affiliates rely on Cobalt Strike or Brute Ratel for post-exploitation, Fog has built its operation around a set of open-source and repurposed tools that are less commonly detected:

GC2 (Google Command and Control): An open-source post-exploitation framework developed for red team use that communicates through Google Sheets (or SharePoint) as a C2 channel. Outbound traffic to Google Workspace is rarely blocked and often not inspected by proxy. GC2 sessions are effectively invisible to security controls that rely on domain blocklisting or reputation-based network detection.

Adaptix C2: An alternative C2 framework (open-source, Golang-based) that implements a beacon protocol similar to Cobalt Strike but without the recognisable signatures that detection tools have been trained on. Adaptix has seen increasing adoption among threat actors specifically because of its reduced detection rate against commercial EDR products.

Stowaway: A proxy and tunnelling tool that enables covert data transfer and network traversal. Fog uses Stowaway to establish internal tunnels that allow lateral movement and data staging.

DonPAPI and Impacket: Standard credential harvesting tools. DonPAPI retrieves credentials protected by the Windows Data Protection API (DPAPI), while Impacket’s modules (particularly secretsdump) are used for NTLM hash extraction and Kerberos ticket abuse.

Syteca (formerly Ekran System): The most distinctive element of Fog’s toolset — the deployment of Syteca, a legitimate employee monitoring software used for insider threat detection, as a covert surveillance tool. Syteca is installed silently on compromised systems and records keystrokes and screen activity. Because it’s a commercially signed, legitimate enterprise product, it’s not flagged by most security tooling. This provides Fog operators with a persistent surveillance capability on high-value systems that survives standard incident response actions.

Privilege Escalation

Fog operators escalate privileges using a combination of:

  • noPac (CVE-2021-42278 + CVE-2021-42287): The sAMAccountName spoofing technique that allows a standard domain user to impersonate a domain controller and obtain a TGT as a high-privileged account. Patches have been available since December 2021, but the technique still works in a significant proportion of enterprise environments due to lagging patch deployment.
  • Zer0dump: An LSASS memory dumping tool used for credential extraction from domain controllers.

Victim Sectors

Education is Fog’s primary sector by claim volume. Schools, colleges, and universities make attractive targets: they typically have large volumes of personal data (student records, research data), often have under-resourced security operations, and tend to pay ransoms to avoid disruption to academic calendars. US and European academic institutions represent the majority of confirmed Fog victims.

Financial services is the secondary sector, particularly smaller banks, insurance companies, and credit unions that lack the dedicated security operations of larger institutions. The double-extortion model — encrypting data and threatening to publish it — is particularly effective in financial services because of the regulatory penalties associated with data disclosure.

Healthcare appears in Fog’s victim set but at lower frequency than education and finance, consistent with most RaaS groups’ stated (if inconsistently observed) avoidance of hospital operations.

Extortion Model

Fog operates a standard double-extortion model: data is exfiltrated before encryption, and victims face both operational disruption (restoring encrypted systems) and reputational/regulatory risk (threat of data publication). The group maintains a leak site on the dark web where victim data is published following non-payment.

Ransom demands have ranged from under $100,000 (for smaller education targets) to several million dollars (for financial services targets). The group is assessed to be flexible in negotiation — lower initial demands with willingness to negotiate suggests a volume-over-yield strategy.

Indicators and Detection

Key Fog IOCs:

  • SonicWall VPN authentication followed by GC2 beaconing to Google Sheets domains
  • Unexpected installation of Syteca/Ekran client on non-HRMS systems
  • noPac exploitation artefacts in Windows event logs (4741/4742 — computer account created/modified, followed by suspicious TGT requests)
  • Stowaway binary execution from temp directories

Sigma rules for Adaptix C2 beacon detection and GC2 Google Sheets C2 traffic have been published by the community and are available in the SigmaHQ repository under threat_actors/fog/.

Defensive Priorities

For organisations in the education and financial services sectors specifically:

  1. Audit SonicWall VPN credentials against breach databases (Have I Been Pwned breach feeds include the relevant dataset)
  2. Enforce MFA on all VPN authentication — credential stuffing doesn’t work against accounts with MFA
  3. Block or inspect traffic to Google Sheets from corporate systems where legitimate business use doesn’t require it
  4. Monitor for Syteca/Ekran installation outside of authorised HRMS deployments
  5. Patch noPac (KB5008380/KB5008602) if not already done — three-year-old vulnerability still active in the wild
// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting