{"id":77803,"date":"2025-06-23T03:36:40","date_gmt":"2025-06-23T07:36:40","guid":{"rendered":"https:\/\/blog.cyberconservices.com\/?p=77803"},"modified":"2025-06-21T15:55:57","modified_gmt":"2025-06-21T19:55:57","slug":"fog-ransomware-group-uses-unconventional-toolset-new-research-finds","status":"publish","type":"post","link":"https:\/\/blog.cyberconservices.com\/index.php\/2025\/06\/23\/fog-ransomware-group-uses-unconventional-toolset-new-research-finds\/","title":{"rendered":"Fog Ransomware Group Uses Unconventional Toolset, New Research Finds"},"content":{"rendered":"<p>By\u00a0<a href=\"https:\/\/www.securitymagazine.com\/authors\/4609-jordyn-alger\">Jordyn Alger <\/a>&#8211; Tactics, techniques, procedures (TTPs) are used as fingerprints to <a id=\"\" href=\"https:\/\/www.securitymagazine.com\/articles\/101505-whos-driving-ransomwares-accelerated-growth-in-2025\">identify actor groups<\/a>\u00a0\u2014 when common tools, platforms, or infrastructure are used, we gain confidence as defenders in our hypothesis on which Threat Actor group we&#8217;re dealing with. The appearance of new tool kits in play could speak to the evolution of existing actors, or a newly formed group emerging.<\/p>\n<p>The use of ordinary and legitimate corporate tools does two things for the miscreants:<\/p>\n<ol>\n<li>It may allow accidental bypass from other security tools in an environment, as known software is baked into allow-listing groups which may have been enabled. In this case the use of Syteca for gathering credentials and monitoring the environment may have been ignored by security tooling.<\/li>\n<li>The use of expected productivity platforms (e.g. Google Sheets or Microsoft SharePoint) for command and control (C2) would have blended in a bit more with normalized corporate traffic, increasing the time to detect, and slowed investigations a bit.<\/li>\n<\/ol>\n<p>We should expect the use of ordinary and legitimate corporate software as the norm \u2014 we refer to this as living off the land. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when \u201callowable\u201d software gets the job done for them?<\/p>\n<p>We have long seen Threat Actors exploiting vulnerability research in security technologies, and for good reason. The old adages here ring true (\u201cthe cobbler\u2019s kids have no shoes\u201d and \u201cnever drive the mechanic\u2019s car\u201d) in that security software can&#8217;t ever have enough scrutiny. The eternal vigilance required to build self-defending security platforms knows no end. Moments like these should encourage us to seek diverse perspectives in security testing, transparency in findings, and active vulnerability disclosure and bounty programs incentivizing partnership with the research community.\u00a0\u00a0 <a href=\"https:\/\/www.securitymagazine.com\/articles\/101694-fog-ransomware-group-uses-unconventional-toolset-new-research-finds\" target=\"_blank\" rel=\"noopener\">Read On:<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Research from Symantec and the Carbon Black Threat Hunter team reveals that the Fog ransomware group utilizes an uncommon toolset, including open-source pentesting utilities and Syteca, a legitimate employee monitoring software. <\/p>\n <a class=\"more-link\" href=\"https:\/\/blog.cyberconservices.com\/index.php\/2025\/06\/23\/fog-ransomware-group-uses-unconventional-toolset-new-research-finds\/\"><span class=\"more-msg\">Continue reading &rarr;<\/span><\/a>","protected":false},"author":1,"featured_media":77804,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[636,7],"tags":[637,141],"class_list":["post-77803","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","category-sharepoint","tag-ransomware","tag-sharepoint"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/blog.cyberconservices.com\/wp-content\/uploads\/2025\/06\/ai-generated-8783105_1280.jpg","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/77803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/comments?post=77803"}],"version-history":[{"count":1,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/77803\/revisions"}],"predecessor-version":[{"id":77805,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/posts\/77803\/revisions\/77805"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/media\/77804"}],"wp:attachment":[{"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/media?parent=77803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/categories?post=77803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.cyberconservices.com\/index.php\/wp-json\/wp\/v2\/tags?post=77803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}