Introduction: A New Era of Ransomware Attacks

Ransomware isn’t what it used to be. Gone are the days when attackers relied solely on phishing emails or brute-force attacks. Today’s cybercriminals are getting creative leveraging legitimate security tools to fly under the radar while wreaking havoc.

The Fog ransomware group has taken this trend to a frightening new level. In a May 2025 attack on an Asian financial institution, they didn’t just encrypt files and demand payment they spied on employees, exfiltrated sensitive data, and maintained stealthy backdoors long after the ransomware detonated.

What makes this attack so concerning? They used off-the-shelf pentesting tools software designed to help security professionals against their victims. This isn’t just ransomware anymore; it’s cyber-espionage with a financial twist.

Let’s break down exactly how they pulled it off and what businesses can do to defend themselves.

How the Attack Unfolded: A Step-by-Step Breakdown

1. Initial Compromise: The Silent Entry

Investigators believe the attackers first breached the target’s Exchange Server, though the exact entry point remains unclear. Once inside, they didn’t rush to deploy ransomware. Instead, they lurked for nearly two weeks, quietly mapping the network.

2. Reconnaissance: Spying Like a Sysadmin

Using basic but effective commands like

whoami (to check privileges)

net use (to map network shares)

nltest /domain_trusts (to find connected domains)

They identified high-value targets, including financial databases and employee workstations.

3. The Unusual Toolkit: Legitimate Apps Turned Malicious

Instead of custom malware, Fog operators used

Syteca (employee monitoring software): To track user activity.

GC2 (a command-and-control framework): Used Google Sheets & SharePoint for stealthy communication.

Adaptix C2 Beacon: A pentesting tool repurposed for data theft.

Stowaway Proxy To hide their movements inside the network.

This approach made detection extremely difficult many security tools ignore these applications because they’re not traditionally malicious.

4. Data Exfiltration: Hiding in Plain Sight

The GC2 framework was particularly clever. Instead of connecting to a shady server, it:

Polled Google Sheets for commands (blending in with normal cloud traffic).

Exfiltrated files via SharePoint (looking like regular business activity).

This meant no suspicious IPs, no odd domains just what appeared to be normal cloud service usage.

5. Ransomware Deployment and Beyond

After stealing data, they finally triggered the ransomware. But unlike typical attacks, they didn’t just leave afterward.

They created a persistent backdoor named:

“SecurityHealthIron” (disguised as a legitimate Windows service).

This service acted as a watchdog, ensuring their GC2 spy tools kept running even after the ransom was paid.

Why This Attack Changes the Game

1. Ransomware as a Smokescreen for Espionage

Most ransomware gangs hit and run. Fog, however, stuck around, suggesting they weren’t just after money—they wanted long-term access to sensitive data.

2. The Rise of “Living-off-the-Land” Attacks

Using trusted software (like Google Sheets for C2) makes attacks nearly invisible to traditional security tools.

3. A Warning for Security Teams

If hackers can turn pentesting tools against you, how do you tell friend from foe?

How to Defend Against These Attacks

1. Monitor Unusual Cloud Activity

Unexpected Google Sheets/SharePoint access? Investigate.

Unusual API calls? Lock it down.

2. Restrict Legitimate Pentesting Tools

Syteca, GC2, Cobalt Strike? Only allow them in controlled environments.

3. Hunt for Post-Ransomware Backdoors

Check for suspicious services (like “SecurityHealthIron”).

Audit scheduled tasks & new registry entries.

4. Assume Breach, Act Early

If ransomware hits, don’t assume the attackers are gone. They might still be inside.

The Blurring Line Between Crime and Cyberwarfare

The Fog ransomware attack isn’t just another data encryption scheme it’s a hybrid threat combining financial extortion with corporate espionage.

As attackers get smarter, businesses must evolve beyond basic ransomware defenses. The next wave of cyber threats won’t just lock your files they’ll steal your secrets while pretending to be you.

Are you prepared?