{"id":23924,"date":"2025-03-21T06:28:24","date_gmt":"2025-03-21T10:28:24","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/fog-reveals-victims-ip\/23924\/"},"modified":"2025-03-21T17:04:38","modified_gmt":"2025-03-21T13:04:38","slug":"fog-reveals-victims-ip","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/fog-reveals-victims-ip\/23924\/","title":{"rendered":"Fog ransomware publishes victim&#8217;s IP-addresses"},"content":{"rendered":"<p>We closely monitor changes in the tactics of various cybercriminal groups. Recently, experts from Kaspersky\u2019s Global Research and Analysis Team (GReAT) noted that, after attacks with Fog ransomware, malefactors were publishing not only victim\u2019s data, but also the IP addresses of the attacked computers. We haven\u2019t seen this tactic used by ransomware groups before. In this post, we explain why it\u2019s important and what the purpose of this tactic is.<\/p>\n<h2>Who is the Fog ransomware group, and what\u2019s it known for?<\/h2>\n<p>Since the ransomware business began <a href=\"https:\/\/www.kaspersky.com\/blog\/darkside-ransomware-industry\/39377\/\" target=\"_blank\" rel=\"noopener nofollow\">to turn into a full-fledged industry<\/a>, the involved cybercriminals have been splitting themselves up into various specializations. Nowadays, the creators of the ransomware and the people directly behind the attacks are most often not connected in any way \u2014 the former develop the malware along with a platform for attacks and subsequent blackmailing, while the latter simply buy access to the code and infrastructure under the <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/ransomware-as-a-service-raas\/\" target=\"_blank\" rel=\"noopener\">ransomware-as-a-service (RaaS) model<\/a>.<\/p>\n<p>Fog ransomware is one such platform \u2014 first noticed in early 2024. The malware is used to attack computers running either Windows or Linux. As is customary among ransomware operators in recent years, the affected data is not only encrypted, but also uploaded to the attackers\u2019 servers, and then, if the victim refuses to pay, published on a TOR site.<\/p>\n<p>Attacks using Fog were carried out against companies working in the fields of education, finance, and recreation. Often, criminals used previously leaked VPN access credentials to penetrate the victim\u2019s infrastructure.<\/p>\n<h2>Why they are publishing IP addresses?<\/h2>\n<p>Our experts believe that the main purpose of publishing IP addresses is to increase the psychological pressure on victims. Firstly, it increases the traceability and visibility of an incident. The effect of publishing the name of a victim company is less impressive, while the IP address can quickly tell not only who the victim was \u2014 but also what exactly was attacked (whether it was a server or a computer in the infrastructure). And the more visible the incident, the more likely it is to face lawsuits over data leakage and fines from regulators. Therefore, it\u2019s more likely that the victim will make a deal and pay the ransom.<\/p>\n<p>In addition, publishing an IP address sends a signal to other criminal groups, which can use the leaked data. They become aware of the address of a knowingly vulnerable machine, and have access to the information downloaded from it, which can be studied and used for further attacks on the infrastructure of the same company. This, in turn, makes the consequences of publication even more unpleasant, and therefore becomes an additional deterrent to ignoring the blackmailer\u2019s demands.<\/p>\n<h2>How to stay safe<\/h2>\n<p>Since most ransomware attacks still start with employee error, we first recommend periodically raising staff awareness about modern-day cyberthreats (for example, using the <a href=\"https:\/\/k-asap.com\/en\/?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">online training platform<\/a>.)<\/p>\n<p>In order not to lose access to critical data, we, as usual, recommend making backups and keeping them in storage isolated from the main network. To prevent the ransomware from running on the company\u2019s computers, it\u2019s necessary that each corporate device with access to the network be equipped with an <a href=\"https:\/\/me-en.kaspersky.com\/next?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____655fe72318f39647\" target=\"_blank\" rel=\"noopener\">effective security solution<\/a>. We also recommend that large companies monitor activity in the infrastructure using an XDR class solution, and, if necessary, involve third-party experts <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">in detection and response activities<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-ransomware\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"kesb-ransomware\" value=\"22649\">\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals behind the Fog ransomware publish leaked data along with the IP addresses of attacked computers. <\/p>\n","protected":false},"author":2706,"featured_media":23925,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[575,1958,433],"class_list":{"0":"post-23924","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-great","11":"tag-ip-addresses","12":"tag-ransomware"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/fog-reveals-victims-ip\/23924\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/fog-reveals-victims-ip\/28685\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/fog-reveals-victims-ip\/28803\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/fog-reveals-victims-ip\/39280\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/fog-reveals-victims-ip\/53206\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/fog-reveals-victims-ip\/28964\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/fog-reveals-victims-ip\/34752\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/fog-reveals-victims-ip\/34381\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/ransomware\/","name":"ransomware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23924"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23924\/revisions"}],"predecessor-version":[{"id":23926,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23924\/revisions\/23926"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23925"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}