Fog Ransomware Surges in 2025 Hitting Schools and Banks Alike

Fog ransomware is a cyberthreat targeting schools and financial organizations. 

This type of double extortion ransomware doesn’t just lock up data, it also steals sensitive information to pressure victims into paying. First discovered in 2024, Fog’s attacks have increased in 2025, affecting both schools and banks. 

The Fog ransomware group started off focusing exclusively on U.S. schools, exploiting their rather limited IT resources, but now they’ve moved to the financial sector as well. 

Fog is one of the new ransomware groups of 2025, showing how cybercriminals keep changing their methods to attack different industries.

Fog ransomware was first identified in April 2024, initially operating as a ransomware targeting higher education institutions in the United States. Roughly 70% of Fog’s early victims were schools or universities. These attacks often exploited compromised VPN credentials in college networks to gain entry. 

But by mid-2024, Fog’s operators pivoted beyond academia into the financial world, drawn by the prospect of larger payouts and more sensitive data. Late-2024 incidents saw Fog breaching financial organizations with similar tactics, proving it was not confined to the education sector.

A Fog ransomware technical analysis reveals a multi-stage attack. 

Initial access typically begins with a stolen VPN login – a VPN credential compromise that lets attackers slip past network defenses. Once inside, Fog’s operators quickly escalate privileges, often using pass-the-hash attacks against administrator accounts to seize control. 

After gaining elevated access, the attackers establish persistence by opening RDP connections to servers and using credential stuffing techniques to move laterally. They deploy tools like Microsoft PsExec for remote execution and run port scans with utilities such as Advanced Port Scanner to map the network. In some cases, they have even leveraged Metasploit during their intrusions.

With the network surveyed, Fog prepares its payload. The malware neutralizes defenses as a priority – disabling security tools like Windows Defender to avoid detection. It then encrypts files across local and network drives. Fog targets a wide range of data and is especially disruptive to virtual infrastructure; it encrypts virtual machine disk files (VMDKs) and deletes associated backups, crippling services. 

Encrypted files are appended with extensions such as “.fog” or “.flocked,” marking them as locked. Simultaneously, Fog wipes out backups to hinder recovery – deleting Volume Shadow Copies via vssadmin and purging any accessible backups or snapshots.

Towards the end of the attack, after encryption, Fog drops a ransom note on each affected system. Infected directories receive a file named readme.txt with instructions for the victim, including a link to a Tor hidden service for communication with the attackers.

Fog’s campaigns have hit multiple industries, but its impact on education and finance has been particularly bad. In schools and universities, Fog exemplified the threat of ransomware in education. They exploited poorly secured remote access (VPN/RDP) in these environments, allowing them to infiltrate and encrypt campus networks with relative ease.

More recently, Fog set its sights on banks and financial services, becoming a dangerous ransomware strain in finance. Financial organizations are lucrative targets due to the sensitive data they hold and the high cost of downtime. Fog’s expansion into the financial sector was evident by late 2024, when the group started breaching companies in banking and finance using its standard playbook (as mentioned above). 

A single breach can lock up millions of customer records and disrupt core services. The threat of confidential financial data being exposed online also (as part of Fog’s double extortion scheme) puts immense pressure on victims in this sector to pay the ransom.

Fog ransomware uses the double extortion model now common among top-tier ransomware gangs, and Fog’s operators don’t stop at encryption – they also exfiltrate data from the victim’s network before locking files. If the victim refuses to pay, the attackers threaten to publish the stolen information on their dark web leak site (a data leak site, or DLS).

Figure 1: An image of The Fog Blog

Fog’s hidden site, aptly nicknamed “The Fog Blog,” lists victim organizations and posts stolen data to pressure them. This name-and-shame tactic means that even if an organization can restore from backups, it still faces a reputation-damaging data breach. These double extortion methods have become a hallmark of Fog’s operations, maximizing leverage by combining encryption with data leaks.

Known indicators of compromise for Fog include the sudden appearance of strange file extensions and ransom notes. Files encrypted by Fog will have extensions like “.fog”, “.ffog”, or “.flocked”, which immediately stand out. 

A ransom note named readme.txt in numerous folders is another giveaway – these notes explicitly mention “Fog” and provide Tor contact instructions. 

Administrators should also watch for hacker tools turning up unexpectedly; for instance, if Advanced Port Scanner or PsExec processes are found on systems where they’re not normally used, it could indicate Fog’s operators are active in the environment.

On the detection side, monitoring all of your systems is ideal for detecting ransomware in networks. Security teams should set alerts for mass file modifications or encryption-like activity, as well as any attempt at volume shadow copy deletion (e.g. running vssadmin delete shadows). 

Unusual internal network scanning or large, unexplained data transfers may signal Fog’s recon and exfiltration phases. By tuning intrusion detection systems to Fog’s known patterns and hunting for these IOCs, defenders have a better chance to catch an attack early – ideally before the ransomware payload executes.

A combination of preventative steps can reduce the overall risk of a Fog ransomware incident:

1. Use multi-factor authentication (MFA) on all remote access accounts (VPN, RDP, etc.) so that a stolen password alone can’t grant entry. This counters Fog’s intrusion method of using stolen credentials.
2. Keep VPN gateways, servers, and all software fully up to date. Apply security patches promptly – especially for any internet-facing systems – to close vulnerabilities that Fog might exploit.
3. Divide your network into closed or isolated segments and limit user permissions. Containing what an intruder can access (and requiring separate credentials for different systems) will slow or thwart Fog’s lateral movement.
4. Use endpoint detection and response (EDR) tools to spot suspicious behavior (like credential dumping or unauthorized admin tools) and stop ransomware early.
5. Maintain regular, offline backups of data and systems. By keeping backup copies off the network, you ensure that even if Fog encrypts data and wipes on-site backups, you can restore systems without paying.

With just five of these defenses in place, and an incident response plan, organizations can harden their environment and disrupt Fog’s attack paths before the damage is done.

Fog’s spread shows how fast new ransomware threats can impact different industries. What started as a problem for campus networks has now become a global threat to organizations. 

To protect against Fog in 2025, security teams need to prepare for strategies like stealing VPN credentials and double extortion, ensuring their defenses stay ahead of these tactics. 

By using multiple layers of security and promoting cyber awareness, even a threat like Fog ransomware can be spotted and stopped before it causes damage.

Concerned about Fog ransomware? Learn how BlackFog can help your organization stay ahead of ransomware threats at blackfog.com.