Prepared by: Nick Thanos | Published: 30 June 2026
Since mid-2024, a ransomware group called FOG has been targeting organisations across education, finance and recreation by stealing sensitive data, encrypting systems and publishing victim information on its dark web leak site. What sets FOG apart from most ransomware groups is what it chooses to publish, not just stolen data, but the IP addresses of the victim's compromised devices, a deliberate tactic designed to increase the traceability and legal visibility of an incident and apply maximum pressure to pay. Active globally and observed directly by Triskele Labs across multiple incident response engagements in Australia, FOG operates under a ransomware-as-a-service (RaaS) model and has demonstrated a clear understanding that reputational and legal exposure can be a more powerful lever than encryption alone.
FOG first emerged in early 2024 and was first publicly observed in July 2024. The group operates under a ransomware-as-a-service model, where a core operator provides ransomware infrastructure and tooling to a network of affiliates who conduct intrusions in exchange for a share of ransom proceeds. This structure allows FOG to run campaigns across multiple targets simultaneously without core operators conducting every intrusion themselves.
The group's double extortion model follows the standard two-stage approach, before deploying encryption, affiliates exfiltrate sensitive data from the victim environment. Victims are then presented with two demands, pay to prevent release of that data on FOG's dark web leak site, a website hosted on the encrypted Tor network where ransomware groups publish stolen data from victims who decline to pay, and pay for a decryptor to restore access to encrypted systems.
What distinguishes FOG's leak site from those of most of its peers is the publication of victim IP addresses alongside stolen data. An IP address is a unique numerical label assigned to each device connected to a network; publishing it publicly increases the traceability of the incident, making it easier for regulators, legal parties and clients to identify affected infrastructure. This is a calculated escalation of the standard extortion formula. The more visible and traceable an incident becomes, the higher the likelihood of regulatory fines and reputational damage.
FOG primarily targets organisations in education, finance and recreation, sectors where data sensitivity and reputational exposure are high and where the consequences of a public breach are significant. Triskele Labs' engagements are consistent with financially motivated, opportunistic targeting rather than a deliberate regional strategy.
FOG has maintained a lower public profile since early 2025, with victim disclosures becoming less frequent than at the peak of the group's activity in 2024. This pattern is consistent with operational pauses seen across the ransomware ecosystem and should not be read as an indicator that the group has ceased activity; ransomware groups regularly cycle through periods of reduced visibility before resuming campaigns.
Across the incidents responded to by Triskele Labs, a consistent and methodical pattern of compromise emerged.
FOG's observed entry point is the use of valid credentials to access the environment via SSL VPN. A VPN, or Virtual Private Network, is a service that allows authorised users to connect securely to an organisation's internal network from outside the office. When VPN services lack Multi-Factor Authentication (MFA), a security control requiring users to verify identity through at least two methods such as a password and a one-time code, a stolen set of credentials is all a threat actor needs to walk straight in.
This is consistent with the broader Australian ransomware landscape. Exposed SSL VPN services without MFA were the single largest initial access vector across all Triskele Labs ransomware engagements in FY25, accounting for 23 incidents, up 64% from the previous year. In addition to credential-based VPN access, FOG has also been observed exploiting unpatched vulnerabilities in internet-facing applications, targeting software that has not been updated with the latest security patches as an alternative route into victim environments.
One of FOG's most defining early-stage behaviours is the deliberate disabling of security tooling before moving further into the environment. Across Triskele Labs' engagements, the tool TrueSightKiller was observed being executed shortly after initial access. TrueSightKiller is an exploit tool specifically designed to disable antivirus software, firewalls and Endpoint Detection and Response (EDR) solutions, the security software that monitors device behaviour continuously and alerts on suspicious activity. By neutralising these controls early, FOG operators significantly reduce the likelihood of detection during the subsequent stages of the intrusion.
This technique, classified under Impair Defences in the MITRE ATT&CK framework, reflects a deliberate sequencing; gain access, impair defences, then operate freely. Environments that rely on a single security layer and have no compensating monitoring controls are particularly exposed to this approach.
Once inside and with security tooling disabled, FOG affiliates move laterally through the environment using two techniques observed across Triskele Labs engagements. Remote Desktop Protocol (RDP), a Microsoft technology that allows a user to connect to and control a remote computer as though sitting in front of it, is used to traverse the network and reach high-value systems. SMB/Windows Admin Shares, a network file-sharing protocol built into Windows that allows systems to access shared folders and administrative resources across a network, provides an additional lateral movement path, allowing the threat actor to interact with remote systems and access data stores without deploying specialised tooling.
FOG operators harvest credentials from the Windows Credential Manager, a built-in Windows feature that stores usernames and passwords for websites, applications, and network resources to allow automatic sign-in. Extracting this stored credential material provides the threat actor with access to additional systems and services without needing to perform more complex credential dumping techniques and extends the reach of the intrusion with minimal additional effort.
Before encryption is deployed, FOG affiliates exfiltrate sensitive data including financial records, personal information and intellectual property. Data is transferred out of the environment over a symmetrically encrypted protocol separate from the group's primary command-and-control channel, a technique designed to reduce detection by security tools monitoring for unusual outbound traffic patterns.
The exfiltrated data serves two purposes, it provides the leverage for the primary extortion demand, and it supplies the content published on FOG's leak site. Critically, that published content includes not just the stolen data but the IP addresses of the victim's compromised devices, increasing the legal and regulatory visibility of the incident and amplifying the consequences of non-payment.
Encryption is the final stage and typically the first event that triggers visible disruption for the victim. FOG uses strong encryption algorithms to lock files across targeted systems, rendering them inaccessible and crippling operations until a ransom decision is made. Scheduled tasks, a Windows feature that runs programs automatically at defined times or intervals, are used to execute the ransomware payload. By the time encryption is deployed, data has already been exfiltrated and the IP address publication threat is already in play.
The consistent entry points and techniques observed across FOG engagements mean there are clear, actionable controls that reduce risk materially.
Enforce MFA across all external-facing services without exception.
FOG's observed entry point is a VPN service without Multi-Factor Authentication. Without MFA, stolen credentials are sufficient for full access. This single control, consistently applied to VPN gateways, Remote Desktop Gateway (RDG) servers and any other externally accessible service, would prevent the majority of observed FOG intrusions. Note that RDG servers do not natively support MFA; additional configuration is required beyond standard IT management arrangements, and organisations should seek specialist advice if uncertain whether their RDG is adequately protected.
Patch internet-facing systems promptly and maintain a current asset inventory.
FOG actively exploits unpatched vulnerabilities in internet-facing software as an alternative initial access method. A documented patch management programme with defined timelines for critical patches, typically 24 to 72 hours for actively exploited vulnerabilities on externally accessible systems, reduces the window of exposure. Where immediate patching is not possible, implement compensating controls such as taking the affected service offline or tightening network access until the vulnerability is remediated.
Deploy EDR with tamper protection enabled across every endpoint and server.
FOG's early use of TrueSightKiller to disable security tooling means that environments without tamper-protected EDR are effectively blind once this tool is executed. Endpoint Detection and Response solutions must be deployed consistently across all assets, with tamper protection enabled so the tooling cannot be disabled by an unauthorised process. Gaps in EDR coverage are gaps in visibility that FOG will find and use.
Monitor for known EDR-killing tooling.
TrueSightKiller is a known tool with documented behaviour. Security teams should build specific detections for its execution and for the broader class of EDR-disabling tools. Alerts on unexpected termination of security processes, changes to security service states, or the presence of known exploit tool signatures should be treated as high-priority indicators of an active intrusion.
Restrict and monitor RDP and SMB within the internal network.
FOG uses both RDP and SMB/Windows Admin Shares for lateral movement. Limit RDP access to only the systems and accounts that require it for legitimate purposes, enforce strong authentication for all RDP sessions and disable SMB access where it is not operationally required. Monitor for RDP and SMB activity outside normal patterns, particularly sessions initiated from unexpected source systems, at unusual hours, or targeting high-value infrastructure.
Audit and restrict Windows Credential Manager.
FOG harvests credentials from Windows Credential Manager. Review what credentials are stored within Credential Manager across your environment, remove stored credentials that are not operationally necessary, and ensure that privileged account credentials are not stored in Credential Manager on workstations or servers where they could be harvested. Consider Group Policy controls that restrict the use of Credential Manager for domain credentials.
Monitor for exfiltration over non-standard protocols and anomalous outbound volumes.
FOG exfiltrates data over a symmetrically encrypted protocol separate from its primary command-and-control channel. Build detections that flag anomalous outbound data volumes and traffic over non-standard or unexpected protocols, particularly outside business hours. Because this activity does not use common exfiltration tooling such as Rclone, tooling-based detections alone will not catch it; behavioural and volume-based monitoring is essential.
Ensure security alerting is monitored around the clock.
FOG conducts its most disruptive activity outside business hours. Alerts generated overnight or over weekends and reviewed the following morning represent a window in which a threat actor can move from initial access to full encryption undetected. Whether through an internal security operations capability or an external managed detection and response (MDR) provider, continuous monitoring is essential.
FOG is an active, financially motivated ransomware group operating under a ransomware-as-a-service model since mid-2024. Its defining characteristic is the publication of victim IP addresses alongside stolen data on its dark web leak site, a deliberate escalation of the standard double extortion formula designed to increase legal and regulatory visibility of the incident and maximise the pressure to pay. The more traceable and public an incident becomes, the higher the downstream consequences; and FOG understands that clearly.
Triskele Labs has responded directly to multiple FOG incidents. The pattern is consistent, gain initial access through a VPN service lacking MFA or an unpatched internet-facing application; execute TrueSightKiller to disable security tooling; move laterally via RDP and SMB; harvest credentials from Windows Credential Manager; exfiltrate sensitive data over an encrypted non-standard protocol; then deploy ransomware to encrypt systems at scale.
The early disabling of security tooling is a particular concern. Environments that rely on a single layer of endpoint protection with no compensating monitoring controls have no visibility once TrueSightKiller has executed. Deploying tamper-protected EDR consistently and building specific detections for EDR-killing tooling are the most direct mitigations for this behaviour.
The defences most likely to disrupt a FOG intrusion are foundational: enforce MFA on all external-facing services, patch promptly, deploy tamper-protected EDR consistently, and ensure alerting is monitored at all hours. FOG does not rely on exceptional technical sophistication. It relies on finding environments that have left the door open and turned the lights off.
| TACTIC | TECHNIQUE | DESCRIPTION |
|---|---|---|
| Initial Access | T1078.002 - Valid Accounts: Domain Accounts | Valid credentials were used to gain access to the network via SSL VPN. |
| Initial Access | T1190 - Exploit Public-Facing Application | Attempt to exploit a weakness in an internet-facing host or system to initially access a network. |
| Persistence | T1053.005 - Scheduled Task/Job: Scheduled Task | Abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. |
| Defence Evasion | T1562.001 - Impair Defences: Disable or Modify Tools | Modify and/or disable security tools to avoid possible detection of their malware and activities. |
| Credential Access | T1555.004 - Credentials from Password Stores: Windows Credential Manager | Acquiring credentials stored in the Windows Credential Manager. |
| Lateral Movement | T1021.001 - Remote Services: Remote Desktop Protocol | Using Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). |
| Lateral Movement | T1021.002 - Remote Services: SMB/Windows Admin Shares | Using Valid Accounts to interact with a remote network share using Server Message Block (SMB). |
| Execution | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | Abuse the Windows command shell for execution. |
| Exfiltration | T1048.001 - Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. |
| Impact | T1486 - Data Encrypted for Impact | Data on targeted systems was encrypted rendering files inaccessible. |
| TOOL | PURPOSE |
|---|---|
| TrueSightKiller | Exploit tool used to disable antivirus, firewall, and EDR software during intrusions. |
| Sophos Firewall | Next-generation firewall; observed in victim environments targeted by FOG affiliates. |
https://www.stateofcyber.com.au/report/dfir#threat-actors-are-getting-smarter
Contextualises FOG within the broader Australian ransomware landscape
Threat Actor: SafePay
https://www.triskelelabs.com/resources/safepay-ransomware-targeting-australian-organisations
Sister article in the same threat actor series