A May 2025 ransomware attack on an Asian financial institution utilized the Fog ransomware alongside an atypical toolset. The attackers deployed legitimate employee monitoring software Syteca and open-source pentesting tools like GC2, Adaptix, and Stowaway. Notably, they established persistence post-ransomware deployment, suggesting potential espionage motives. The attack lasted two weeks before ransomware deployment. Fog ransomware, first documented in May 2024, initially targeted U.S. educational institutions. The attackers used various tools for lateral movement, data theft, and command execution. The unusual toolset and persistence behavior set this attack apart from typical ransomware operations, hinting at possible dual objectives of espionage and financial gain. Author: AlienVault
Related Tags:
pentesting tools
financial institution
employee monitoring software
unusual toolset
asia
T1569.001
fog
FoggyWeb – S0661
cve-2024-40711
Associated Indicators:
982D840DE531E72A098713FB9BD6AA8A4BF3CCAFF365C0F647E8A50100DB806D
FCF1DA46D66CC6A0A34D68FE79A33BC3E8439AFFDEE942ED82F6623586B01DD1
BA96C0399319848DA3F9B965627A583882D352EB650B5F60149B46671753D7DD
B448321BAAE50220782E345EA629D4874CBD13356F54F2BBEE857A90B5CE81F6
F6CFD936A706BA56C3DCAE562FF5F75A630FF5E25FCB6149FE77345AFD262AAB
90A027F44F7275313B726028EAAED46F6918210D3B96B84E7B1B40D5F51D7E85
44BB7D9856BA97271D8F37896071B72DFBED2D9FB6C70AC1E70247CDDBD54490
4D80C6FCD685961E60BA82FA10D34607D09DACF23D81105DF558434F82D67A5E
F37C62C5B92EECF177E3B7F98AC959E8A67DE5F8721DA275B6541437410FFAE1