What Is Fog Ransomware? Tactics and Defenses

The intrusion started with a login that already worked. No exploit chain, no dropped malware on the first host, just a valid VPN credential bought or harvested from somewhere else. From there the operator ran pass-the-hash against an administrator account, opened an RDP session to a Windows Server running Hyper-V and Veeam, pushed PsExec to a handful of machines, turned off Windows Defender, and began encrypting. In several of the cases Arctic Wolf Labs documented, the time from initial access to encryption was short, sometimes inside a single day. By the time anyone saw the readme.txt, the virtual machine disks were already .FOG.

Fog is a ransomware operation first observed on May 2, 2024 by Arctic Wolf Labs. It is not a sophisticated zero-day operation. It is a fast, credential-driven intrusion that leans on legitimate tools and valid access, which is exactly what makes it hard to catch in time. This guide covers what Fog ransomware is, who it targets, how an attack unfolds stage by stage, the vulnerabilities and tools it relies on, and what blue teams can actually do to detect and stop it before encryption.

What is Fog ransomware?

Fog is a ransomware variant that encrypts a victim's files and demands payment for the decryption key, while also stealing data to pressure the victim into paying. It was first identified in May 2024 and quickly drew attention for its speed and its narrow early focus on US organizations.

Like most modern ransomware operations, Fog runs a double extortion model. The operators exfiltrate sensitive data before encrypting, then threaten to publish it on a leak site if the ransom is not paid. That gives the victim two reasons to pay: to recover encrypted systems, and to keep stolen data private. Restoring from backups stops being a complete answer once your data is already in the attacker's hands.

What sets Fog apart is less the malware and more the operating style. The encryptor itself is a compact Windows binary driven by a JSON configuration block, which controls pre- and post-encryption behavior, carries an embedded public key, and sets the extension appended to encrypted files. The default extensions are .FOG and .FLOCKED, but because they are configuration values, an operator can change them per campaign. The intrusion that delivers the encryptor is built almost entirely from valid credentials and tools that already exist in a Windows environment.

Who does Fog ransomware target?

Fog's earliest victims were concentrated and geographically narrow. In the incident response cases Arctic Wolf tracked in its first wave, roughly 80 percent of affected organizations were in the education sector and the remaining 20 percent were in recreation. All of the early victims were located in the United States.

Education is a recurring target for ransomware crews for practical reasons: schools and universities hold large amounts of personal data, often run lean security teams, and depend on systems that cannot tolerate long outages. That combination makes them likely to pay and easy to disrupt.

The targeting did not stay still. By mid-2024, Fog activity expanded beyond academia into the financial sector, where larger payouts and more sensitive data are on the table, and into other industries. Later intrusions linked to compromised SonicWall VPN appliances spanned multiple sectors rather than a single vertical. The pattern is opportunistic: Fog goes where exposed, exploitable access exists, and the early education focus reflected where vulnerable credentials and appliances happened to be, not a permanent specialty.

How a Fog ransomware attack works

Fog attacks follow a consistent arc. The defining trait is how little of it depends on malware. Most of the chain is valid access and legitimate administrative tooling, which is why it blends into normal activity until the encryption stage.

1. Initial access through valid VPN credentials. Operators log in using compromised VPN credentials, observed across at least two different VPN gateway vendors. The credentials are stolen, reused from prior breaches, or obtained through exploited VPN appliances. There is no exploit on the endpoint, just a working login.
2. Credential theft and privilege escalation. Inside the network, the operators run pass-the-hash attacks against administrator accounts to obtain elevated access without ever cracking a password, a form of privilege escalation. This is the foothold that turns a single user login into domain-level reach.
3. Discovery and lateral movement. With admin credentials, they enumerate the environment, including Active Directory, to map hosts and find the systems worth hitting. They then establish RDP connections and use PsExec for lateral movement to additional hosts, reaching Windows Servers running Hyper-V and Veeam backup infrastructure.
4. Defense evasion. Before encrypting, the operators disable Windows Defender on the targeted servers, removing the endpoint protection that would otherwise flag or block the encryptor.
5. Encryption and impact. The encryptor runs against high-value targets, notably virtual machine disk files, and appends the .FOG or .FLOCKED extension. Hitting the virtualization layer takes down many systems at once. A readme.txt ransom note is dropped across the affected network with payment instructions.

The speed is the headline. In multiple documented cases the gap between the first VPN login and full encryption was measured in hours, not weeks. That compressed timeline is a deliberate design: the less time defenders have to notice the intrusion, the more likely it ends in a paid ransom.

Vulnerabilities and tools Fog relies on

Fog's playbook is built around two things: a way in through remote access, and trusted tools to operate once inside. Understanding both is what makes detection possible.

On the way in, VPN access is the consistent theme. Compromised VPN credentials were the original vector. From August 2024 onward, Arctic Wolf Labs observed a surge of Fog and Akira ransomware intrusions tied to SonicWall SSL VPN appliances, with at least 30 intrusions across various industries, most attributed to Akira and the rest to Fog. That activity correlated with CVE-2024-40766, an improper access control flaw in SonicWall SonicOS rated CVSS 9.3, which SonicWall patched in August 2024 and warned was under active exploitation shortly after. Exploitation of that CVE by Fog specifically is correlated rather than confirmed, but the broader lesson holds: internet-facing remote access is the front door.

Once inside, Fog operators favor legitimate software over custom malware, a technique known as living off the land:

• AnyDesk for remote access and persistence, blending in with legitimate IT remote-support traffic.
• PsExec to execute commands and deploy tooling across multiple hosts.
• PowerShell and WMI for execution and administration, using built-in Windows capability rather than detectable binaries.
• BloodHound and native Active Directory enumeration to map attack paths to privileged accounts.
• Pass-the-hash to authenticate as administrators using stolen hashes instead of plaintext passwords.

The defensive implication is direct. You cannot detect Fog by waiting for a malware signature, because most of the chain is signed, legitimate software being used the way an attacker would. Detection has to focus on behavior: an admin account authenticating in an unusual way, RDP and PsExec spreading between servers, BloodHound-style enumeration, Defender being disabled, and large reads against backup and virtualization hosts.

How to detect and prevent Fog ransomware

Because Fog moves fast and lives off legitimate tools, defense splits into two jobs: close the doors it comes through, and detect the behavior early enough to act inside its compressed timeline.

Prevention focuses on the access Fog depends on:

• Lock down remote access. Require phishing-resistant multi-factor authentication on every VPN and remote-access path. Fog's entire chain starts with a credential that works; MFA makes a stolen password insufficient on its own.
• Patch internet-facing appliances fast. VPN and firewall devices like the SonicWall appliances tied to CVE-2024-40766 are prime targets. Apply vendor patches promptly and rotate credentials after patching a device that may already be compromised.
• Harden Active Directory and enforce least privilege. Limit which accounts hold administrative rights, monitor for pass-the-hash and Kerberos abuse, and reduce the blast radius so one compromised credential cannot reach the whole domain.
• Protect and isolate backups. Fog deliberately targets Veeam and Hyper-V hosts. Keep immutable, offline, or otherwise isolated backups so recovery does not depend on infrastructure the attacker can reach and encrypt.
• Protect endpoint security from tampering. Enable tamper protection on Defender and EDR so an operator with admin rights cannot quietly switch it off before encrypting.

Detection focuses on the behavioral signals the chain throws off:

• Anomalous VPN logins: unfamiliar geolocations, impossible travel, or logins outside normal hours for that account.
• Pass-the-hash and other credential-abuse patterns against administrator accounts.
• Unexpected RDP and PsExec activity spreading between internal servers, especially toward Hyper-V and backup systems.
• AnyDesk or other remote-access tools appearing where IT did not deploy them.
• Endpoint protection being disabled, which should be a high-severity alert on its own.
• Large or unusual data transfers that signal exfiltration ahead of encryption.

The unifying principle is dwell-time reduction. Fog is designed to finish before you notice. The defenders who stop it are the ones who alert on the early stages, valid-but-anomalous access, credential abuse, server-to-server movement, and have a rehearsed incident response plan ready to contain it, rather than waiting for the encryption stage where the only remaining choice is how to recover.

The bottom line

Fog ransomware is a fast, credential-driven operation that breaks in through compromised VPN access, escalates with pass-the-hash, spreads with RDP and PsExec, disables endpoint protection, and encrypts virtual machine disks under the .FOG or .FLOCKED extension, all while running double extortion against stolen data. It first hit US education and recreation organizations in May 2024 and has since broadened into finance and other sectors, frequently riding compromised SonicWall VPN appliances. None of it is exotic. It succeeds by using valid access and legitimate tools to move faster than defenders can react. That also points to the defense: enforce MFA on remote access, patch internet-facing appliances, harden Active Directory, isolate backups, protect your endpoint controls from tampering, and build detection around anomalous access and behavior rather than malware signatures. Fog wins on speed, so the defenders who beat it are the ones who see it early and have already rehearsed the response.

Frequently Asked Questions

What is Fog ransomware?

Fog is a ransomware operation first observed in May 2024 by Arctic Wolf Labs. It encrypts a victim's files, appending the .FOG or .FLOCKED extension, and steals data for double extortion, threatening to leak it if the ransom is not paid. Fog is notable for breaking in through compromised VPN credentials and moving from initial access to encryption very quickly, sometimes within a single day.

Who does Fog ransomware target?

Fog's earliest victims were US organizations, with roughly 80 percent in the education sector and 20 percent in recreation. By mid-2024 it expanded into the financial sector and other industries. The targeting is opportunistic: Fog pursues organizations with exposed, exploitable remote access rather than a single fixed vertical, and the early education focus reflected where vulnerable credentials and appliances happened to be.

How does Fog ransomware get into a network?

Fog operators gain initial access using compromised VPN credentials, observed across multiple VPN gateway vendors. From August 2024, a surge of Fog and Akira intrusions was linked to SonicWall SSL VPN appliances and correlated with CVE-2024-40766, a critical SonicOS access control flaw. There is typically no endpoint exploit at the start, just a valid remote-access login.

What file extension does Fog ransomware use?

Fog appends the .FOG or .FLOCKED extension to encrypted files by default. Because the encryptor is driven by a JSON configuration block, those extensions are configurable values an operator can change per campaign, so the extension alone is not a reliable sole indicator.

How can organizations defend against Fog ransomware?

Require phishing-resistant multi-factor authentication on all remote access, patch internet-facing VPN and firewall appliances quickly, enforce least privilege in Active Directory, and keep immutable or isolated backups since Fog targets Veeam and Hyper-V hosts. Enable tamper protection on endpoint security so it cannot be disabled, and build detection around anomalous logins, credential abuse, and unexpected RDP and PsExec activity rather than malware signatures.

Is Fog ransomware related to Akira ransomware?

Fog and Akira are separate ransomware operations, but their intrusions have overlapped. Arctic Wolf Labs observed both groups exploiting compromised SonicWall SSL VPN access in the same period from August 2024 onward, across at least 30 intrusions, with most attributed to Akira and the rest to Fog. They are distinct operations that have used a similar initial access vector.