FOG Ransomware Group Leaks Source Code of 19 Victims on Dark Web

The FOG ransomware group has intensified its global cyber extortion campaign by leaking source code and sensitive data from 19 new victims across 12 countries on their dark web portal, “The Fog Blog”.

The victims span critical sectors, including semiconductor manufacturing, federal agencies, meteorological infrastructure, and academic institutions.

This attack wave follows FOG’s established pattern of double extortion—encrypting systems while threatening to publish stolen data unless ransoms are paid.

Global Reach of Latest Attacks

According to the post from FalconFeedsio, the latest victims highlight FOG’s expanding geographic and sectoral footprint. High-profile targets include MELEXIS (Belgium), a global semiconductor leader; the U.S. Geological Survey (USGS), a key federal scientific agency; EUMETSAT (Germany), Europe’s meteorological satellite organization; and FHNW University (Switzerland), a major academic institution.

Other victims, such as Indonesia’s agricultural tech firm Koltiva, Spain’s Inelmatic Electronics, and Thailand’s Internet Thailand Public Company, underscore the group’s focus on disrupting supply chains and digital infrastructure in emerging markets.

FOG’s operational tempo aligns with its historical preference for fast execution, often achieving encryption within hours of initial access.

The group leverages compromised VPN credentials and brute-forced RDP endpoints to infiltrate networks, then uses tools like Advanced Port Scanner and PsExec for lateral movement.

Critical Sectors in the Crosshairs

The targeted organizations represent sectors with high downtime costs and sensitive data.

For example:

• MELEXIS and Inelmatic Electronics develop critical automotive and industrial components, where operational disruptions could ripple through manufacturing ecosystems.
• EUMETSAT’s meteorological data supports weather forecasting and climate research, making its compromise a transnational security concern.
• Manning Publications (U.S.) and FHNW University (Switzerland) join a growing list of educational institutions targeted for under-resourced IT environments.

FOG’s shift toward infrastructure-critical industries mirrors recent campaigns against financial services and healthcare, sectors where ransomware payments are statistically more likely.

The group’s median ransom demand of $220,000—and frequent use of double extortion—increases pressure on victims to capitulate.

Technical Implications and Mitigation Strategies

FOG’s latest attacks employ signature tactics, including disabling Windows Defender, deleting volume shadow copies, and appending encrypted files with extensions like .flocked or .fog.

The Linux variant of FOG ransomware, observed in attacks on FlightSim Studio AG (Switzerland) and 1xINTERNET (Germany), targets virtual machine disks (.vmdk) to cripple cloud-based workloads.

Encryption relies on AES-256 keys wrapped with RSA-2048, rendering decryption without the threat actor’s private key computationally infeasible.

To mitigate risks, organizations should:

1. Enforce multi-factor authentication (MFA) on all VPN and RDP access points.
2. Monitor for anomalous SMB/RDP traffic patterns, which often precede ransomware deployment.
3. Deploy decoy files or canary traps to detect early-stage encryption activity.

Darktrace reports indicate that FOG’s median dwell time before encryption is just 2 hours, necessitating real-time threat detection.

Regular backups stored offline and air-gapped remain the most effective defense against data loss.

The FOG group’s latest leaks underscore the escalating threat of ransomware to global infrastructure.

With their proven ability to adapt to security measures and exploit geopolitical fragmentation, proactive defense—not reactive payment—remains the cornerstone of cyber resilience.

Also Read:

Opendir Alert: Potential Malware Files Detected