In May 2025, incident responders at a regional bank in Southeast Asia stumbled upon a ransomware intrusion that looked nothing like the smash‑and‑grab playbooks they were used to. Instead of Cobalt Strike, MimiKatz or custom droppers, the adversary – operators of the Fog ransomware – stitched together a workbench of legitimate admin utilities and niche open‑source red‑team projects. Because every binary had a perfectly valid reason to exist in an enterprise network, most endpoint detection rules simply … looked away.
Over the following two weeks the attackers quietly mapped the environment, stole credentials, exfiltrated sensitive archives and, finally, encrypted every production server, including the bank’s Hyper‑V disks. Before leaving a double‑extortion note. By the time security tools began to scream, the dwell time clock read 14 days.
Fog Ransomware in Context
First documented in May 2024, Fog Ransomware built its reputation on opportunistic hits against universities and regional hospitals in the United States. The gang’s hallmark is speed: once domain‑admin privileges are in hand, all Windows endpoints, including virtual machines, go dark within minutes. Later campaigns broadened Fog’s scope to finance and manufacturing, often beginning with stolen VPN credentials or internet‑facing software flaws such as the September 2024 Veeam VBR bug (CVE‑2024‑40711) and unpatched SonicWall SSL‑VPN gateways.
Inside the Breach
Initial foothold: Exchange servers light up
Investigators could not pinpoint patient zero, but two on‑premises Exchange servers were the first machines acting out of character. Late on a Sunday night they established outbound HTTPS sessions to an innocuous‑looking Google Sheets document and opened a SOCKS5 tunnel through Stowaway, a proxy the attackers would lean on for the rest of the operation.
Stealthy reconnaissance via GC2
For the next three days those Exchange hosts issued a steady drip of commands (whoami, net user, ipconfig /all) through GC2, an open‑source implant that hides C2 traffic in Microsoft 365 APIs. Because the bank’s own staff worked heavily in 365, the queries melted into normal telemetry and triggered no alarms.
Credential theft with Syteca
Day five marked the shift from observation to action. The intruders copied Syteca (formerly Ekran) into C:\Program Files\Ekran System under the bland filename update.exe. Once launched, Syteca’s key‑logging and screen‑capture features harvested RDP passwords and NTLM hashes, handing Fog operators the keys to the kingdom.
Lateral expansion through familiar tools
Armed with those credentials, the attackers pivoted laterally. SMBExec and PsExec (administrative workhorses few blue teams dare to block) were pushed into ADMIN$ shares on eight domain controllers and thirty‑one Windows servers. Each hop also installed Syteca and a lightweight beacon called Adaptix C2, giving the adversary redundant communication paths.
Data staging and silent exfiltration
By day eleven the crew began compressing HR records, project documents and SQL exports with 7‑Zip. The archives, some of them tens of gigabytes in size, rode out of the network over MegaSync links that blended with legitimate cloud‑storage traffic. No single file transfer was large enough to raise data‑loss‑prevention thresholds.
Final act: encryption and built‑in persistence
Shortly after midnight on day fourteen the Fog payload detonated, encrypting both physical hosts and .vhdx virtual‑machine disks. Moments later a new Windows service – SecurityHealthIron – appeared. Its only job was to spin up the GC2 beacon every 15 minutes, ensuring that even after ransom notes had been dropped the attackers retained a beachhead.
How Everyday Software Became a Weapon
The breach succeeded not through zero‑days or exotic malware but by bending familiar utilities to malicious ends:
- Syteca — key‑logging and screen capture that harvested credentials without tripping alarms.
- GC2 — a covert command channel disguised as harmless Google Sheets or SharePoint traffic.
- Stowaway — a SOCKS5 relay that hid the real command‑and‑control infrastructure.
- SMBExec & PsExec — the lateral‑movement workhorses that planted implants across subnets.
- Adaptix C2 — a lightweight beacon that re‑establishes access if primary implants are killed.
- 7‑Zip, MegaSync and FreeFileSync — everyday compression and sync tools pressed into service for staging and exfiltration.
None of these binaries triggered high‑risk verdicts, illustrating how adept modern ransomware actors have become at “living off the land, plus one.”
Defensive Measures That Can Help
Defenders can blunt similar attacks by focusing on five practical moves:
- Flag dual‑use binaries. Block or raise high‑severity alerts for Syteca, GC2, Stowaway, Adaptix C2 and other rarely used admin tools.
- Monitor SaaS telemetry. Baseline Google Workspace and Microsoft 365 API usage; investigate hosts that suddenly surge in Sheets or SharePoint calls.
- Tighten the perimeter. Enforce multi‑factor authentication on every VPN gateway and patch appliances such as SonicWall and Veeam within 48 hours of vendor release.
- Detect Pass‑the‑Hash. Correlate Event IDs 4776 and 4624 with remote‑execution activity to surface credential reuse.
- Harden backups. Maintain at least one immutable or offline copy isolated from the production network.
Final Thoughts
Fog Ransomware campaign demolishes the old assumption that ransomware hinges on bespoke malware. When yesterday’s help‑desk utilities become the loaders, beacons and data‑mules of today’s extortion crews, defenders must pivot from signature‑based controls to contextual visibility. Expand watchlists to include obscure admin tools, scrutinise SaaS telemetry for anomalies and enforce airtight patch and credential hygiene, only then can an organisation lift the fog before it settles into every corner of the network.
