Research has revealed the development of a new ransomware variant called Fog. The research, conducted by Arctic Wolf Labs, was observed in multiple cases and displayed similar elements throughout. The targets of Fog’s ransomware activity were predominantly in the United States, with 80% focused on the education sector and 20% on the recreation industry. 

The research refers to Fog as a ransomware variant rather than a ransomware group in order to differentiate between entities that construct the encryptor software and those that carry out the attacks. At this time, the structure of the group or groups deploying Fog ransomware is unknown. The research notes that as more details on Fog emerge, more nuances may be added to the research. 

Currently, the research has shown that threat actors in investigated cases gained access to target environments by exploiting compromised VPN credentials. Two separate VPN gateway vendors were leveraged for remote access. To date, the last documented activity occurred on May 23, 2024.