Ransomware hasn’t gone away—it’s evolved. And one of the more concerning developments in 2025–2026 is the emergence of newer, quieter strains like FOG ransomware that focus less on noise and more on precision.
Unlike older ransomware families that detonated loudly—encrypting everything in sight—modern variants like FOG are far more strategic. They aim to blend into normal operations, disable recovery options, and maximise impact before detection. In several environments I’ve reviewed recently, the initial compromise wasn’t even noticed until backups were already unusable.
That’s what makes this particularly dangerous. It’s not just about encryption anymore—it’s about denial of recovery.
For IT professionals, this changes the game. You’re no longer just defending endpoints; you’re defending identity systems, backup integrity, and lateral movement paths simultaneously.
In this article, I’ll break down how FOG ransomware operates, what indicators to look for, and how to implement practical, real-world controls to reduce your exposure and recover quickly if the worst happens.
Quick Fix Summary
If you need immediate actions to reduce risk:
- Enforce immutable backups and test restores regularly
- Block and monitor RDP, SMB, and lateral movement protocols
- Enable tamper protection and endpoint detection (EDR)
- Audit privileged accounts and remove unnecessary access
- Monitor for early indicators like unusual PowerShell or scheduled task activity
Understanding FOG Ransomware
FOG ransomware is part of a broader trend toward low-noise, high-impact attacks. It typically follows a multi-stage approach rather than a smash-and-grab encryption event.
Key Characteristics
- Targets Windows-based enterprise environments
- Focuses on backup destruction before encryption
- Uses living-off-the-land (LotL) techniques
- Often deployed after credential compromise
What Makes It Different
From what I’ve observed, FOG behaves more like an operator-driven attack than a simple payload:
- It leverages native tools like PowerShell and WMI
- It disables security controls before execution
- It selectively encrypts high-value data
This makes traditional signature-based detection far less effective.
How FOG Ransomware Typically Spreads
1. Initial Access (Credential-Based)
Most cases begin with:
- Phishing attacks
- Credential stuffing
- Exposed RDP services
Once inside, attackers avoid triggering alerts by using legitimate credentials.
2. Privilege Escalation and Reconnaissance
Attackers map the environment using built-in tools.
Common Commands Seen
whoami /priv
net group "Domain Admins" /domain
nltest /dclist:domain.local
These commands are often overlooked because they’re not inherently malicious—but in context, they are strong indicators.
3. Lateral Movement
FOG operators move laterally using:
- SMB shares
- Remote PowerShell
- PsExec or WMI
Example: Suspicious Remote Execution
Invoke-Command -ComputerName SERVER01 -ScriptBlock { Get-Process }
If this appears outside normal admin activity, it should raise flags.
4. Backup and Recovery Sabotage
This is where FOG becomes particularly dangerous.
Common Actions
- Deleting shadow copies
- Disabling backup services
- Targeting backup repositories
Example Command
vssadmin delete shadows /all /quiet
If you see this in logs without a valid maintenance window—treat it as a critical incident.
5. Encryption and Impact
Only after the environment is weakened does encryption begin.
- Targets key file types
- Leaves ransom notes
- May exfiltrate data beforehand
Step-by-Step: Detecting and Responding to FOG Ransomware
Step 1: Identify Early Indicators of Compromise
Focus on behavioural signals rather than signatures.
Key Indicators
- Unusual PowerShell execution
- New scheduled tasks created unexpectedly
- High volume of authentication attempts
- Admin tools used outside change windows
PowerShell: Check Scheduled Tasks
Get-ScheduledTask | Where-Object {$_.TaskName -notlike "*Microsoft*"}
Step 2: Investigate Privileged Account Activity
Most ransomware attacks rely on elevated access.
What to Check
- Recently added domain admins
- Service accounts with excessive permissions
- Failed login attempts followed by success
Step 3: Review Backup Integrity Immediately
Don’t assume backups are safe.
What to Validate
- Backup jobs are still running
- Retention policies haven’t changed
- Offline or immutable backups exist
Step 4: Contain the Threat
If FOG is suspected:
- Isolate affected systems
- Disable compromised accounts
- Block lateral movement paths
This is where network segmentation pays off.
Step 5: Eradicate and Recover
- Rebuild compromised systems (don’t trust them)
- Restore from clean backups
- Rotate all credentials
Real-World Scenario
In one environment I reviewed, the attack timeline looked like this:
- Day 1: Compromised VPN credentials
- Day 3: Privilege escalation to domain admin
- Day 5: Backup system accessed and modified
- Day 7: Shadow copies deleted
- Day 8: Encryption triggered
The key failure wasn’t detection—it was assuming backups were safe.
Additional Tips / Pro Tips
🔧 Pro Tip: Enable Microsoft Defender Tamper Protection
This prevents attackers from disabling security tools silently.
⚠️ Warning: Don’t Rely on a Single Backup Strategy
Use:
- Immutable backups
- Offline backups
- Cloud backups with versioning
🧠 Best Practice: Monitor Admin Tool Usage
Tools like:
- PowerShell
- PsExec
- WMI
…should be tightly controlled and logged.
🔍 Pro Tip: Use “Assume Breach” Monitoring
If an admin command runs unexpectedly—investigate it.
FAQ Section
1. What is FOG ransomware?
FOG ransomware is an emerging ransomware variant that focuses on stealth, lateral movement, and disabling recovery mechanisms before encrypting data.
2. How does FOG ransomware spread?
It typically spreads through compromised credentials, phishing attacks, and exposed services like RDP, followed by lateral movement within the network.
3. What are the first signs of a FOG ransomware attack?
Early signs include unusual PowerShell activity, unexpected scheduled tasks, privilege escalation events, and deletion of shadow copies.
4. Can FOG ransomware be detected by antivirus?
Traditional antivirus may struggle to detect it due to its use of legitimate tools. EDR and behavioural monitoring are more effective.
5. How do I protect my backups from ransomware?
Implement immutable backups, restrict access to backup systems, and regularly test restore processes.
Conclusion / Actionable Takeaways
FOG ransomware highlights a critical shift in how attacks are executed. It’s no longer about getting in—it’s about staying undetected long enough to ensure maximum damage.
From my experience, the organisations that recover successfully are the ones that:
- Assume compromise early
- Monitor behaviour, not just alerts
- Treat backups as critical infrastructure
Immediate Next Steps
- Audit privileged accounts and access paths
- Review and test your backup strategy
- Enable advanced logging and monitoring
- Restrict lateral movement across your network
- Train your team to recognise early warning signs
The reality is simple—ransomware isn’t going away. But with the right controls in place, its impact can be significantly reduced.
Last Updated
Last Updated: April 2026
Aligned with current ransomware trends, Windows Server security practices, and Microsoft 365 Defender capabilities.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.