Latest Fog ransomware attack chain
Once the “Pay Adjustment” LNK file is clicked, a PowerShell script named stage1.ps1 will be executed, retrieving various payloads from an attacker-controlled domain. These include the ransomware loader, cwiper.exe, a bring-your-own-vulnerable-driver (BYOVD) privilege escalation tool called Ktool.exe, an image of a QR code directing to a Monero wallet, a ransom note called RANSOMNOTE.txt and additional malicious PowerShell scripts.Ktool.exe extracts the vulnerable Intel Network Adapter Diagnostic Driver called iQVW64.sys to the %TEMP% folder and includes the target process ID (PID) and a hardcoded key as parameters. The PowerShell scripts Lootsubmit.ps1 and Trackerjacker.ps1 serve to collect and exfiltrate system information such as IP address, CPU configuration, MAC address and system geolocation.The ransomware loader performs checks to ensure it is not in a sandbox environment before dropping the Fog ransomware along with dbgLog.sys, which logs encryption-related events, and an additional ransom note called readme.txt. This ransom note is identical to notes seen in previous Fog ransomware attacks.
New ransomware note and bizarre political references
While the final ransom note, readme.txt, is the same seen in previous attacks, the initial ransom note, RANSOMNOTE.txt, makes references to DOGE, including names of specific individuals associated with the department.The note states, “Give me five bullet points on what you accomplished for work last week,” referencing emails sent to federal employees in in February as part of a DOGE initiative. The note also offers to decrypt the user’s data for free if they send the malicious files to another person or directly execute the malicious PowerShell commands on another person’s machine.Earlier this year, the DoNex ransomware group took a similar approach, offering targets payment for providing sensitive company data or spreading the ransomware throughout their organization.Additional strange political references were included directly within the PowerShell script, including the statement “The CIA didn’t kill Kennedy you idiot.”The script also opened multiple politically-themed YouTube videos including an episode “Last Week Tonight with John Oliver.”
Fog ransomware claims 100 victims in 2025
Fog is a relatively new ransomware group, emerging around mid-2024, but has been fairly active this year, claiming 100 victims since January. Most of its 2025 victims were posted on its leak site in February, when it claimed 53 victims in a single month.The group targets a range of sectors including technology, education, manufacturing, transportation, business services, healthcare and retail. The threat actor targets both organizations and individuals, and Trend Micro has detected and blocked 173 counts of Fog ransomware activity since June 2024.Trend Micro noted the possibility that the recent activity, including the new ransom note, may be the work of another threat actor impersonating Fog and using Fog ransomware, rather than originating from the Fog ransomware group itself.Regardless, the company recommends organizations monitor indicators of compromise (IoC) for Fog ransomware and the recent campaign, and take general ransomware protection measures, including maintenance of up-to-date data backups and use of network segmentation to limit the spread of an attack.
