The FOG ransomware group has intensified its global cyber extortion campaign by leaking proprietary source code belonging to three multinational organizations—Australian technology firm Naphix Pty Ltd, Spanish network infrastructure specialist Wireless DNA (WDNA), and Ecuadorian software developer Bayteq.
The breach, first reported on the group’s dark web portal “The Fog Blog” on February 23, 2025, marks a strategic expansion of FOG’s operations, leveraging double extortion tactics to pressure victims into paying ransoms averaging $220,000 per attack.
Victim Analysis and Operational Impact
According to the post from FalconFeeds.io, Naphix Pty Ltd (Australia): As a technology solutions provider, Naphix’s leaked intellectual property could expose proprietary algorithms and client-facing platforms.
The compromise of source code risks long-term competitive disadvantages and potential regulatory penalties under Australia’s Notifiable Data Breaches scheme.
Wireless DNA (Spain): Specializing in IoT monitoring and network auditing through their entro© platform, WDNA’s breach threatens critical infrastructure clients.
Exposure of network vulnerability data could enable cascading attacks on energy grids and telecommunications systems reliant on their technology.
Bayteq (Ecuador): The leak of Bayteq’s robotic process automation (RPA) frameworks and UX/UI design libraries jeopardizes ongoing digital transformation projects across Latin America.
As a regional leader in staff augmentation services, the breach also risks exposing sensitive employee data from client organizations.
Technical Methodology and Attack Lifecycle
FOG operators executed a refined intrusion chain beginning with compromised VPN credentials purchased from Initial Access Brokers (IABs).
After establishing footholds, attackers conducted lateral movement via Remote Desktop Protocol (RDP) sessions, deploying custom PowerShell scripts to disable Windows Defender and delete Volume Shadow Copies—a critical obstacle for data recovery.
Encryption processes utilized multi-threaded ransomware binaries capable of appending .flocked extensions to 70% of targeted files while sparing system-critical processes to maintain operational stealth.
Concurrently, the group exfiltrated 2.1 TB of data using MEGAsync and FileZilla, later threatening public release via TOR-based negotiation portals.
Darktrace investigations revealed FOG’s alarming operational tempo, with one attack achieving full encryption within two hours of initial access.
Evolving Double Extortion Dynamics
The group’s July 2024 introduction of “The Fog Blog” leak site formalized their double extortion strategy, mirroring trends seen in LockBit and ALPHV campaigns.
Unlike earlier iterations that focused on data dumps, FOG’s latest attacks weaponize source code leaks—a tactical shift increasing pressure on technology firms where intellectual property constitutes core business value.
Kroll analysts note this approach bypasses traditional backup mitigation strategies, as stolen code cannot be restored through conventional means.
Mitigation Recommendations
Cybersecurity authorities emphasize layered defenses:
- Credential Hardening: Enforce phishing-resistant MFA across all VPN and RDP access points.
- Process Whitelisting: Restrict execution of PowerShell and LOLBins like PsExec to authorized administrative workflows.
- Exfiltration Monitoring: Deploy protocol analysis tools to detect anomalous MEGAsync/FileZilla traffic patterns.
SentinelOne’s analysis of Fog’s Linux variants highlights specific risks to VMware environments, recommending hypervisor-specific monitoring for unauthorized VM process termination attempts.
Sector-Wide Implications
With 43% of FOG’s confirmed victims operating in the technology and critical infrastructure sectors, the attacks underscore systemic vulnerabilities in software supply chains.
The group’s cross-platform capabilities—targeting both Windows and Linux systems—position them as a persistent threat to organizations undergoing cloud migrations or IoT integrations.
As international law enforcement agencies collaborate on takedown operations, the cybersecurity community remains divided on ransomware payment ethics.
However, consensus grows around mandatory breach disclosure laws modeled on the EU’s NIS2 Directive, potentially mitigating future intellectual property exfiltration campaigns.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The FOG ransomware group has intensified its global cyber extortion campaign by leaking proprietary source code belonging to three multinational organizations){kind=link}