Search cyberveille.decio.ch

Navigating Through The Fog

An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence. Initial access was gained using compromised SonicWall VPN credentials, while other offensive tools facilitated credential theft, exploitation of Active Directory vulnerabilities, and lateral movement. Persistence was maintained through AnyDesk, automated by a PowerShell script that preconfigured remote access credentials. Sliver C2 executables were hosted on the server for command-and-control operations, alongside Proxychains tunneling. The victims spanned multiple industries, including technology, education, and logistics, across Europe, North America, and South America, highlighting the affiliate’s broad targeting scope.

#thedfirreport #EN #2025 #SonicWall #VPN #ransomware #Fog #AnyDesk #PowerShell

·thedfirreport.com·Apr 28, 2025

Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.

On May 2, 2024, Arctic Wolf Labs began monitoring deployment of a new ransomware variant referred to as Fog. The ransomware activity was observed in several Arctic Wolf Incident Response cases, each exhibiting similar elements. All victim organizations were located in the United States, 80% of which were in the education sector and 20% in the recreation sector. We are sharing details of this emerging variant to help organizations defend against this threat. Please note that we may add further detail to this article as we uncover additional information in our ongoing investigation.

#arcticwolf #EN #2024 #Fog #ransomware #USA #analysis

·arcticwolf.com·Jul 22, 2024

Arctic Wolf Labs has observed Fog ransomware being deployed against US organizations in the education and recreation sectors.