A naukri.com initiative
Securityaffairs
2d
3
Image Credit: Securityaffairs
Unusual toolset used in recent Fog Ransomware attack
- Fog ransomware operators used unusual pentesting and monitoring tools in a May 2025 attack on an Asian financial firm, as reported by Symantec researchers.
- The attackers utilized rare tools like Syteca monitoring software, GC2, Adaptix, and Stowaway, which are uncommon in ransomware campaigns.
- After the attack, the attackers established a service for maintaining access, demonstrating a rare persistence move, and remained undetected in the network for two weeks before deploying the ransomware.
- Fog ransomware has been active since at least May 2024, initially targeting U.S. schools through compromised VPNs and later exploiting a Veeam VBR vulnerability.
- In April 2025, the attackers shifted to email-based infections, employing provocative tactics in ransom notes to infect victims and offering free decryption in exchange for infecting others.
- While the initial infection vector in the recent Fog ransomware attack remains unknown, experts suspect Exchange Servers may have played a role.
- The attackers' toolkit included uncommon tools like GC2 for C2 communication, Syteca for monitoring, Stowaway for delivery, and PsExec/SMBExec for lateral movement, indicating espionage motives.
- Additionally, tools like Adaptix C2, FreeFileSync, MegaSync, and Process Watchdog were used for data theft, maintaining persistence, and controlling the compromised network.
- The atypical toolset and post-deployment persistence in the attack suggest potential espionage motives of the attackers, using ransomware possibly as a decoy or secondary goal.
- The report highlights the possibility of the company being targeted for espionage, with ransomware serving as a diversion or profit-making tactic alongside espionage activities.
- The use of uncommon tools in the ransomware attack is a noteworthy observation for businesses seeking to defend against malicious actors, according to the researchers.
- Overall, the attack's unique characteristics and toolset underscore the need for enhanced cybersecurity measures and vigilance against sophisticated threat actors.
- The presence of indicators of compromise in the report provides valuable insights for organizations to bolster their defenses.
- Follow @securityaffairs on Twitter, Facebook, and Mastodon for related updates and news.
- The article was authored by Pierluigi Paganini and covers details on the hacking incident involving Fog ransomware.
- SecurityAffairs reports on hacking incidents and cybersecurity matters related to Fog ransomware.
Read Full Article
Like
For uninterrupted reading, download the app