Fog Ransomware: Unusual Toolset Used in Recent Attack

    Date: 06/16/2025

    Severity: Medium

    Summary

    In May 2025, a financial institution in Asia was targeted by Fog ransomware, marking a significant shift in attack tactics. Unusually, the attackers deployed legitimate employee monitoring software, Syteca (formerly Ekran), and several open-source pentesting tools, including GC2, Adaptix, and Stowaway—tools not typically associated with ransomware attacks. After the ransomware deployment, the attackers created a service for persistence, intending to maintain access to the victim’s network, a departure from typical ransomware behavior. The attackers were active on the network for approximately two weeks before launching the attack. Fog ransomware, first documented in May 2024, initially targeted U.S. educational institutions and gained access through compromised VPN credentials.

    Indicators of Compromise (IOC) List

    URL/Domain

    amanda.protoflint.com

    IP Address

    66.112.216.232

    97.64.81.119

    Hash

    181cf6f9b656a946e7d4ca7c7d8a5002d3d407b4e89973ecad60cee028ae5afa

    90a027f44f7275313b726028eaaed46f6918210d3b96b84e7b1b40d5f51d7e85

    f6cfd936a706ba56c3dcae562ff5f75a630ff5e25fcb6149fe77345afd262aab

    fcf1da46d66cc6a0a34d68fe79a33bc3e8439affdee942ed82f6623586b01dd1

    4d80c6fcd685961e60ba82fa10d34607d09dacf23d81105df558434f82d67a5e

    8ed42a1223bfaec9676780137c1080d248af9ac71766c0a80bed6eb4a1b9b4f1

    e1f571f4bc564f000f18a10ebb7ee7f936463e17ebff75a11178cc9fb855fca4

    f1c22cbd2d13c58ff9bafae2af33c33d5b05049de83f94b775cdd523e393ec40

    279f32c2bb367cc50e053fbd4b443f315823735a3d78ec4ee245860043f72406

    b448321baae50220782e345ea629d4874cbd13356f54f2bbee857a90b5ce81f6

    f37c62c5b92eecf177e3b7f98ac959e8a67de5f8721da275b6541437410ffae1

    3d1d4259fc6e02599a912493dfb7e39bd56917d1073fdba3d66a96ff516a0982

    982d840de531e72a098713fb9bd6aa8a4bf3ccaff365c0f647e8a50100db806d

    fd9f6d828dea66ccc870f56ef66381230139e6d4d68e2e5bcd2a60cc835c0cc6

    bb4f3cd0bc9954b2a59d6cf3d652e5994757b87328d51aa7b1c94086b9f89be0

    ba96c0399319848da3f9b965627a583882d352eb650b5f60149b46671753d7dd

    44bb7d9856ba97271d8f37896071b72dfbed2d9fb6c70ac1e70247cddbd54490

    13d70c27dfa36ba3ae1b10af6def9bf34de81f6e521601123a5fa5b20477f277

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "amanda.protoflint.com" or siteurl like "amanda.protoflint.com" or url like "amanda.protoflint.com"

    Detection Query 2 : 

    dstipaddress IN ("66.112.216.232","97.64.81.119") or srcipaddress IN ("66.112.216.232","97.64.81.119")

    Detection Query 3 :

    sha256hash IN ("181cf6f9b656a946e7d4ca7c7d8a5002d3d407b4e89973ecad60cee028ae5afa","90a027f44f7275313b726028eaaed46f6918210d3b96b84e7b1b40d5f51d7e85","f6cfd936a706ba56c3dcae562ff5f75a630ff5e25fcb6149fe77345afd262aab","fcf1da46d66cc6a0a34d68fe79a33bc3e8439affdee942ed82f6623586b01dd1","4d80c6fcd685961e60ba82fa10d34607d09dacf23d81105df558434f82d67a5e","8ed42a1223bfaec9676780137c1080d248af9ac71766c0a80bed6eb4a1b9b4f1","e1f571f4bc564f000f18a10ebb7ee7f936463e17ebff75a11178cc9fb855fca4","f1c22cbd2d13c58ff9bafae2af33c33d5b05049de83f94b775cdd523e393ec40","279f32c2bb367cc50e053fbd4b443f315823735a3d78ec4ee245860043f72406","b448321baae50220782e345ea629d4874cbd13356f54f2bbee857a90b5ce81f6","f37c62c5b92eecf177e3b7f98ac959e8a67de5f8721da275b6541437410ffae1","3d1d4259fc6e02599a912493dfb7e39bd56917d1073fdba3d66a96ff516a0982","982d840de531e72a098713fb9bd6aa8a4bf3ccaff365c0f647e8a50100db806d","fd9f6d828dea66ccc870f56ef66381230139e6d4d68e2e5bcd2a60cc835c0cc6","bb4f3cd0bc9954b2a59d6cf3d652e5994757b87328d51aa7b1c94086b9f89be0","ba96c0399319848da3f9b965627a583882d352eb650b5f60149b46671753d7dd","44bb7d9856ba97271d8f37896071b72dfbed2d9fb6c70ac1e70247cddbd54490","13d70c27dfa36ba3ae1b10af6def9bf34de81f6e521601123a5fa5b20477f277")

    Reference:    

    https://www.security.com/threat-intelligence/fog-ransomware-attack


    Tags

    MalwareFog RansomwareRansomwareSytecaFinancial ServicesEducationUnited States

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags