top of page
Search

Fog Ransomware Hack Shows the Dark Side of "Legit" Tools—and Just How Far Ransomware Has Evolved

In a rare twist that’s raising eyebrows across the cybersecurity community, the latest Fog ransomware attack didn’t just encrypt systems and vanish—it stuck around. And it did so using a mix of surprising, legitimate tools that point to an increasingly sophisticated and stealthy breed of cybercriminal.


The May 2025 incident, which hit a financial institution in Asia, is now being dissected for what may mark a major turning point in ransomware tactics. This wasn’t just another smash-and-grab: the attackers lingered inside the network for two weeks, established persistence after deploying ransomware, and used software like Syteca—a legitimate employee monitoring solution—to potentially surveil users and harvest credentials before unleashing the encryption payload.


“The real danger in this case isn’t the ransom note—it’s how Fog turns a simple screen-recorder into a hidden camera,” said Akhil Mittal, Senior Manager at Black Duck. “Business apps we install on autopilot can suddenly become spy tools, which means trust is the weak spot.”

A Toolset Straight Out of Red Teaming—Not Ransomware


Instead of relying solely on the usual offensive security tools like Cobalt Strike or Mimikatz, the Fog actors leaned heavily on lesser-known or dual-use tools rarely seen in ransomware campaigns. These included:


  • GC2, a covert command-and-control tool that exfiltrates data using Google Drive or Microsoft SharePoint Lists.


  • Stowaway, an open-source proxy used to sneak the Syteca client onto infected systems.


  • Adaptix C2, an adversarial emulation framework seen as an open-source alternative to Cobalt Strike.


  • Process Watchdog, which ensured that backdoors like GC2 stayed active by relaunching them if terminated.


“These actors are leveraging legitimate commercial software to carry out criminal activities,” said James Maude, Field CTO at BeyondTrust. “It significantly reduces their chances of detection by EDR solutions.”


Living Off the Land, But Not Like Before


The attack was notable for how deeply it embraced living-off-the-land techniques. Fog’s operators used PsExec and SMBExec for lateral movement, 7-Zip for archiving stolen data, and MegaSync to exfiltrate it. But what stood out was the way they handled Syteca—a tool never previously seen in ransomware incidents. Not only was it used for keylogging and screen capture, but the attackers also cleaned up after themselves, terminating its processes and deleting its configuration files to erase evidence.


“If HR software runs on a database server, that’s your warning sign,” Mittal added, urging teams to monitor for misplaced or misused business apps.


Ransomware or Espionage—Or Both?


Analysts are debating whether this was even a conventional ransomware incident. The persistence mechanisms established post-encryption are inconsistent with smash-and-grab tactics. One possible theory: the ransomware was a smokescreen to distract from deeper surveillance or espionage efforts.


“When common tools, platforms, or infrastructure are used, we gain confidence as defenders in our hypothesis on which threat actor group we're dealing with,” said Trey Ford, CISO at Bugcrowd. “The appearance of new toolkits could speak to the evolution of existing actors—or a newly formed group emerging.”

A New Normal for Cyber Defenders?


Fog has evolved significantly since its discovery in 2024, when it primarily targeted U.S. schools. From exploiting VPN credentials and vulnerable Veeam servers to mocking Elon Musk’s Department of Government Efficiency in ransom notes, Fog's trajectory has steadily escalated in complexity—and unpredictability.


According to Maude, what enables these actors isn't zero-days, but overprivileged users and a failure to manage application controls. “The core principle has not changed,” he said. “They are simply reliant on overprivileged, under-controlled endpoints and the fact that legitimate applications can be used for nefarious purposes.”


His advice: drop the assumption that one compromised endpoint equals one compromised user. Look at the blast radius—connected accounts, SaaS privileges, cloud integrations—and assume the worst.


What This Means for Security Teams


The Fog incident is a stark warning: the next ransomware attack on your network may not start with malware, but with an HR tool. And once the attackers are in, you might not know they’re there—even after they lock your files.


“We should expect the use of ordinary and legitimate corporate software as the norm,” Ford added. “Why would an attacker introduce new software and increase the likelihood of detection when ‘allowable’ software gets the job done?”

Security leaders are now being advised to:


  • Remove local admin privileges wherever possible.


  • Implement tight application control policies.


  • Shift from persistent VPN access to just-in-time access.


  • Monitor the entire identity—not just accounts—for signs of compromise.


Because if the Fog campaign proves anything, it’s that the lines between tools for productivity and tools for attack are blurrier than ever. And the attackers? They’re counting on us not noticing the difference.

bottom of page