FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

The ransomware payload embedded in the discovered samples has been verified as FOG ransomware and is detected as Ransom.Win32.FOG.SMYPEFG. All discovered variants carry the same payload and only differ on the key used to decrypt the payload.  

Conclusion and security recommendations

FOG ransomware is a relatively new ransomware family that enterprises must add to their watchlist. Regardless of the origins and motivations behind the FOG ransomware samples we investigated, whether executed by the original operators using DOGE references for trolling purposes or by other actors embedding FOG ransomware into their binaries for impersonation, the impact of a successful ransomware attack could still potentially cost enterprises financial loss and operational disruption. 

Outpace ransomware threats by monitoring indicators of compromise (IoCs) as part of a proactive cybersecurity defense. This approach allows for early detection of threats, enhances security measures, supports forensic investigations, effectively disrupting the activities of cybercriminals. For researchers, tracking IoCs offers valuable insights into attack patterns, which can help them develop more effective threat prevention strategies. SOCs should maximize tools that enable and help automate these tasks. 

Enterprises can also implement the following security best practices:

• Maintain up-to-date, secure backups of all critical data. Regularly test restoration processes to ensure data can be recovered quickly in the event of an attack.
•  Implement network segmentation to limit the spread of ransomware across your organization. By isolating sensitive data and critical systems, you can prevent widespread damage.
• Regularly update and patch application software, operating systems, and other applications to ensure that you close vulnerabilities that attackers could exploit.
• Conduct regular training sessions for employees to recognize phishing attempts and suspicious links.

Proactive security with Trend Vision One™

Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation. 

Trend Vision One Threat Intelligence

To stay ahead of evolving threats, Trend Vision One customers can access a range of Intelligence Reports and Threat Insights. Threat Insights helps customers stay ahead of cyber threats before they happen and allows them to prepare for emerging threats by offering comprehensive information on threat actors, their malicious activities, and their techniques. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and effectively respond to threats.

Trend Vision One Intelligence Reports App [IOC Sweeping]

Fog Ransomware Concealed Within ‘Trolling DOGE’ Binary Loader 

Trend Vision One Threat Insights App

Emerging Threats: Fog Ransomware Concelaed Within Trolling DOGE Binary Loader

Hunting Queries 

Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.   

eventSubId: 101 AND objectFilePath: RANSOMNOTE.txt 

Encrypted File Activity Detected (*.flocked)  
eventSubId: 109 AND objectFilePath: /\.flocked$/  

Ransomware Note Dropped in System Folders (readme.txt)  
eventSubId: 101 AND objectFilePath: /Users\\(Defaullt|Public)\\.*readme.txt/ 

More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled. 

Indicators of Compromise (IoC)  

Download the list of IoCs here.  

Read More HERE