Fog ransomware operators have recently adopted a new tactic, using DOGE-themed ransom notes to mock their victims. In a twist, they offer a free decryption key if victims spread the malware to others, adding a social engineering layer to their attacks.

Phishing Campaigns and Initial Access

Unlike previous campaigns that relied on compromised VPN credentials, the latest Fog ransomware attacks begin with phishing emails. These emails contain a zip archive labeled "Pay Adjustment.zip," which includes a malicious LNK file. When executed, this file initiates a series of actions that ultimately deploy the ransomware on the victim's system, as reported by Trend Micro researchers.

Technical Details of the Attack

The malicious LNK file downloads a PowerShell script, which retrieves a ransomware downloader along with other PowerShell scripts and executables. These components include a script for harvesting system information, a tool for lateral movement, and a QR code for ransom payments to a Monero wallet. Additionally, the initial script opens politically themed YouTube videos and contains political commentary.

  • Key Point 1: The attack begins with a phishing email containing a malicious LNK file.
  • Key Point 2: The LNK file triggers a PowerShell script that downloads multiple malicious components.

Fog's Growing Victim Count

Trend Micro's analysis reveals that Fog ransomware has impacted 100 victims since January, with a peak in February. Since June 2024, there have been 173 ransomware activities linked to Fog among Trend customers. The primary targets have been in the technology, manufacturing, education, and transportation sectors.

Evolution of Fog Ransomware

Initially, Fog ransomware operators did not exfiltrate data or maintain a leak site, focusing instead on quick payouts. However, recent attacks have involved data theft before encryption, indicating a shift towards double-extortion tactics. In one observed case, data was encrypted within two hours of initial access.

DOGE-Themed Ransom Notes

The ransom notes reference the Elon Musk-led Department of Government Efficiency (DOGE) and sometimes mention individuals associated with it. Victims are humorously asked to list tasks or pay an exorbitant amount. The note also offers free decryption if the victim spreads the malware, with a warning about tracking their location.

Defensive Measures and Recommendations

Trend Micro has published indicators of compromise (IoCs) to help organizations monitor Fog ransomware activity. They recommend standard ransomware defenses, including secure backups, regular restoration tests, network segmentation, software updates, and phishing training.

The link has been copied!