Researchers Reveal Use of Uncommon Tools by Fog Ransomware in Recent Financial Sector Attack

Researchers Reveal Use of Uncommon Tools by Fog Ransomware in Recent Financial Sector Attack
ThaiCERT Cybersecurity Articles

217/68 Tuesday, June 17, 2025

Researchers from Symantec have disclosed a targeted ransomware attack carried out in May 2025 by the Fog Ransomware group against a financial company in Asia. The attackers employed a combination of penetration testing tools and monitoring software rarely seen in typical ransomware operations, including Syteca, GC2, Adaptix, and Stowaway. Notably, they also established post-compromise services to maintain persistent access to the environment—an unusual tactic for ransomware actors, indicating a well-planned, long-term operation. The attackers remained undetected within the target’s network for two weeks before deploying their ransomware payload.

Since first being observed in May 2024, Fog Ransomware has continually evolved its tactics:

  • Early activity involved exploiting compromised VPN credentials.
  • By late 2024, the group began leveraging critical vulnerabilities, including CVE-2024-40711 in Veeam VBR (CVSS score: 9.8).
  • In April 2025, they shifted to phishing campaigns, even attempting to convince victims to help spread the malware in exchange for free decryption keys.

Fog’s ransom notes also featured satirical references to Elon Musk’s DOGE organization, suggesting an intent to mock and psychologically pressure victims.

While the exact entry point in the latest incident remains unconfirmed, researchers suspect it may be linked to a compromised Exchange Server. Particularly noteworthy is the group’s choice of rare and stealthy tools:

  • GC2: Communicates with C2 servers via Google Sheets and SharePoint.
  • Syteca: Used for surveillance and espionage.
  • Stowaway: Facilitates the transfer of additional payloads.
  • Adaptix C2, FreeFileSync, MegaSync, and Process Watchdog: Used for data exfiltration and maintaining covert system control.

Symantec analysts believe this operation may have been driven primarily by cyber-espionage, with ransomware functioning as a cover and secondary revenue stream to support the attacker’s real objectives.

Source https://securityaffairs.com/178969/malware/unusual-toolset-used-in-recent-fog-ransomware-attack.html