The Reveal Platform
Intel Name: Fog ransomware: unusual toolset used in recent attack
Date of Scan: June 16, 2025
Impact: Medium
Summary: In May 2025, a financial institution in Asia was targeted by Fog ransomware, marking a significant shift in attack tactics. Unusually, the attackers deployed legitimate employee monitoring software, Syteca (formerly Ekran), and several open-source pentesting tools, including GC2, Adaptix, and Stowaway—tools not typically associated with ransomware attacks. After the ransomware deployment, the attackers created a service for persistence, intending to maintain access to the victim’s network, a departure from typical ransomware behavior. The attackers were active on the network for approximately two weeks before launching the attack. Fog ransomware, first documented in May 2024, initially targeted U.S. educational institutions and gained access through compromised VPN credentials.
