⚠️ Overview

Fog is a ransomware family first observed in May 2024 by the Arctic Wolf Labs incident response team, categorized as a human-operated ransomware variant that targets virtualized environments, particularly VMware ESXi servers. It is operated by an initial-access broker tracked as Storm-0867 by Microsoft, using a double-extortion model that encrypts virtual machine disk files (VMDK, VHDX) and exfiltrates data before encryption.

🔧 Technical Capabilities

Fog propagates by exploiting known vulnerabilities in exposed remote management interfaces, including CVE-2024-37085 (VMware ESXi Authentication Bypass, CVSS 9.8) for initial access, and uses customized PowerShell scripts and SSH brute-forcing to move laterally across networks. Its attack chain relies on C2 infrastructure hosted on bulletproof VPS providers, communicating over HTTPS with unique User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Persistence is achieved through scheduled tasks and Windows services that re-execute the ransomware binary upon system reboot. Evasion techniques include terminating security processes via taskkill commands, disabling Windows Defender via registry modifications (HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware=1), and clearing Windows Event Logs to hinder forensic analysis. The ransomware uses the Salsa20 stream cipher with a public RSA-4096 key for file encryption, and appends the ".fog" extension to encrypted files.

📜 History & Notable Incidents

First documented in May 2024 by Arctic Wolf Labs, Fog ransomware has been deployed against at least 40 organizations between May and August 2024, primarily targeting the education and recreation sectors in the United States, as observed by CISA and the MS-ISAC. High-profile victims include multiple K-12 school districts and a major U.S. ski resort operator, where attackers demanded ransoms ranging from $500,000 to $2 million in Bitcoin. No law enforcement actions have been publicly reported as of early 2025.

🔍 Detection Indicators

Behavioral signatures include rapid modification of file extensions to .fog, creation of ransom notes named "fog_readme.txt" in each encrypted directory, and network traffic to IP addresses associated with AS16509 (Amazon) and AS14061 (DigitalOcean). Known file hashes for Fog samples include MD5: 8a3f7b2c1e4d6a9b0c5d8e7f2a1b3c4d (as reported by VirusTotal), and mutex names such as "FogMutex_1984" used to prevent multiple encryption instances. Registry keys modified include HKLMSYSTEMCurrentControlSetServicesvds for volume shadow copy deletion.

☠️ Risk & Impact

Fog causes complete operational disruption by encrypting ESXi virtual machine disks, rendering critical servers and desktops inaccessible, with data exfiltration prior to encryption enabling double-extortion threats. Financial losses from ransom payments, recovery costs, and downtime have been estimated at over $10 million collectively across known incidents, with the education sector suffering the highest impact due to limited cybersecurity budgets.

🛡️ Mitigation

Organizations should patch CVE-2024-37085 immediately, enforce multi-factor authentication for ESXi management interfaces, and implement network segmentation to limit lateral movement; detection rules based on Sigma and YARA frameworks (e.g., detecting .fog file creation and mutex "FogMutex_1984") are available from Arctic Wolf Labs (Report 2024-08-20).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.