FOG is a relatively new ransomware group on the scene, but it’s already making noise by combining recycled ransomware code with bold, high-pressure extortion techniques.

While it doesn't yet have the name recognition of LockBit or BlackBasta, FOG is growing in visibility—partly because it’s leveraging tools, tactics, and infrastructure borrowed from now-defunct or splintered groups.

At STORM Guidance, we help organisations understand and respond to ransomware groups like FOG before they become household names—because emerging groups often strike hardest while flying under the radar.

How FOG Ransomware Operates

FOG isn’t reinventing the wheel—but it’s refining tactics that already work.

Their approach centres on:

• Initial access through phishing campaigns or previously leaked credentials

• Use of known tools, such as Cobalt Strike or PsExec, for lateral movement

• Encryption of business-critical systems, with a unique extension and tailored ransom note

• Exfiltration of sensitive data, followed by direct pressure on leadership teams

• Leak site threats, naming victims and publishing partial data dumps if negotiations stall

Despite being new, FOG shows signs of experienced hands—suggesting this is not a first-time operation, but a rebrand or spin-off from more established groups.

Who FOG Is Targeting

FOG’s targets so far include:

• Professional services firms, especially legal and consulting

• Mid-sized enterprises with limited cyber defences

• Businesses with exposed RDP or remote access services

• Organisations holding high volumes of confidential client or IP-related data

Their selection suggests a deliberate approach focused on data leverage and reputational damage.

How to Protect Your Business from FOG Ransomware

✅ Patch VPNs, RDP, and third-party applications regularly

✅ Monitor for unauthorised access and lateral movement

✅ Enforce multi-factor authentication on all remote services

✅ Train staff to detect spear phishing and social engineering

✅ Maintain and test isolated backups frequently

✅ Develop a ransomware-specific incident response playbook

If Your Organisation Is Targeted by FOG

If you're dealing with a FOG ransomware incident:

• Disconnect impacted systems to limit spread

• Preserve ransomware notes, logs, and system snapshots

• Do not respond to attacker communication without expert support

• Engage legal, compliance, and communications leads immediately

STORM Guidance offers:

✔ Rapid ransomware containment and forensic analysis

✔ Data exposure impact assessments

✔ Secure recovery planning and legal support

✔ Strategic guidance on negotiation and disclosure

FOG: Low Profile, High Risk

FOG may not be a headline-grabbing name—yet—but it operates with the confidence of a group that knows exactly what it’s doing.

It’s a reminder that you don’t need to be famous to be dangerous, and that lesser-known groups can be just as damaging as the big players.

The best time to prepare for a threat like FOG is before they know your name. STORM Guidance is here to help you stay ready and respond effectively—no matter who’s behind the keyboard.

Immediate Response Available

If you’re under attack, contact STORM Guidance now.