A new ransomware group called “Frag” has burst onto the cybercrime scene, amassing an alarming 27 victims in just under a month.
The group’s sudden emergence and rapid activity have caught the attention of cybersecurity experts worldwide.
Frag’s operations began on February 28, 2025, with a flurry of attacks targeting organizations primarily in the United States.
The group’s modus operandi involves exploiting a critical vulnerability (CVE-2024-40711) in Veeam Backup & Replication (VBR) software, a tactic previously employed by other ransomware groups such as Akira and Fog.
The Frag group’s initial blog post on February 11, 2025, outlined their terms of negotiation, decryption tools, proof of data deletion, and optional vulnerability reports.
This level of sophistication suggests that Frag may be composed of experienced cybercriminals, possibly with ties to other ransomware operations.
Of the 27 victims listed on Frag’s data leak site (DLS), 24 are based in the United States, with one each in the Netherlands, Singapore, and Canada.
The affected organizations span various industries, including seafood wholesale, hospitality, technology, legal services, healthcare, and financial institutions.
Notable victims include:
- SEAQUEST SEAFOOD (City of Industry, CA)
- Woodbine Hospitality (Syracuse, NY)
- Komoto Healthcare (Bakersfield, CA)
- Maine Highlands Federal Credit Union (Dexter, ME)
- Texas Fifth Wall Roofing Systems (Austin, TX)
The Frag group’s rapid rise coincides with a broader surge in ransomware attacks observed in early 2025.
February 2025 witnessed a record spike in ransomware incidents, with 956 reported victims globally, marking an 87% increase from January.
This trend suggests that Frag is part of a larger ecosystem of increasingly aggressive and sophisticated ransomware operations.
Cybersecurity experts believe that Frag, like other ransomware groups, may be employing a Ransomware-as-a-Service (RaaS) model.
This approach allows less technically skilled affiliates to conduct attacks using the group’s infrastructure in exchange for a percentage of the ransom payments.
The group’s exploitation of the Veeam vulnerability (CVE-2024-40711) highlights the critical importance of prompt patching and security updates.
Organizations using Veeam Backup & Replication software are strongly advised to apply the latest security patches to mitigate the risk of exploitation.
Frag’s attack methodology likely involves:
- Exploiting vulnerable VPN appliances for initial access
- Leveraging the Veeam vulnerability to escalate privileges
- Creating new local administrator accounts (e.g., “point” or “point2”) for persistence
- Deploying the Frag ransomware payload to encrypt victim data
As with other ransomware groups, Frag may employ a double extortion strategy, threatening to leak stolen data if ransom demands are not met.
The rapid emergence of Frag underscores the ever-evolving nature of the ransomware threat landscape.
Organizations must remain vigilant, implementing robust cybersecurity measures, including:
- Regular software patching and updates
- Strong access controls and multi-factor authentication
- Comprehensive backup and recovery solutions
- Employee cybersecurity awareness training
- Endpoint detection and response (EDR) solutions
As Frag continues its operations, law enforcement, and cybersecurity firms will undoubtedly intensify their efforts to track and disrupt the group’s activities.
Organizations are advised to stay informed about the latest ransomware threats and to have incident response plans in place to mitigate potential attacks.
Also Read:
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The group's sudden emergence and rapid activity have caught the attention of cybersecurity experts worldwide.){kind=link}