EBN-The Fog ransomware group, known for targeting various industries, is now associating victims’ IP addresses with their stolen data and publishing this information on the dark web, marking a shift from traditional ransomware extortion tactics. This increases psychological pressure on victims, makes breaches more visible and traceable, and increases the risk of regulatory fines for affected organizations.
A business model known as Ransomware as a Service (RaaS) allows malware developers to rent their ransomware and the infrastructure needed to manage it to other online criminals. Targeting industries like education, entertainment, and finance, the Fog Ransomware group is a ransomware service provider that first appeared in early 2024.
The attacks targeted Windows and Linux operating systems, and the Fog group has previously used double-extortion tactics, encrypting data and threatening to publicly release it to pressure victims into paying the requested sums. The group used compromised VPN credentials to access and encrypt victims’ data, sometimes in less than two hours.
The Fog organization has taken an unprecedented step, becoming the first ransomware-as-a-service group to publicly expose the IP addresses and stolen data of its victims on the dark web following its operations.
In addition to raising psychological pressure on victims, exposing IP addresses could open the door for more cybercriminal behavior, providing external threat actors with potential entry points into compromised networks.
Credential stuffing or malicious botnet activity targeting previously compromised organizations are examples of subsequent attacks. “As ransomware operators see declining payments due to enhanced cyber defenses and increasing regulatory pressure, they are evolving their extortion tactics to maintain their influence over victims,” said Mark Rivero, senior security researcher on the think tank’s Global Research and Analysis Team. He also added that making IP addresses and leaked data publicly available could increase the likelihood that organizations will comply with ransom demands in future incidents.
This tactic could also be a fear-based marketing strategy, with attackers displaying their ruthlessness to scare future victims into paying quickly.