Kaspersky Global Research and Analysis Team (GReAT) has found that the Fog Ransomware group, known for its attacks on a range of industry sectors, has begun to link the IP addresses of their victims to their stolen data and publish this information on the Dark Web, marking a shift from traditional ransomware extortion tactics.
By publishing IP addresses in this way, the group increases the psychological pressure on victims, making breaches seem more immediate and traceable while increasing the risks of regulatory fines for exposed organisations.
Ransomware-as-a-Service (RaaS) is a business model where malware developers lease out ransomware and its control infrastructure to other cybercriminals. Fog Ransomware is a group offering ransomware services that emerged in early 2024 and is known for its attacks on sectors such as education, recreation, and finance.
The group acted by exploiting compromised VPN credentials to access victims’ data which was promptly encrypted, sometimes as quickly as under two hours. The attacks affected Windows and Linux systems. Previously, Fog employed double extortion tactics, encrypting the data and threatening public exposure to pressure victims into paying ransoms.
Fog’s new tactic went even further as they became the first RaaS group to publicly expose the IP addresses and stolen data of their victims on the Dark Web after the attack. Apart from the increased physiological pressure on victims, the exposure of IPs may also serve to facilitate additional cybercriminal activity by providing external threat actors with a potential entry point into the compromised networks. Follow-up attacks could include credential stuffing or botnet activity against the already compromised organisations.
“As ransomware operators face declining payments due to improved cybersecurity defenses and regulatory pressures, they seek to refine their ransom extortion methods to maintain leverage over victims,” comments Marc Rivero, lead security researcher with Kaspersky Global Research and Analysis Team.
“The public exposure of IP addresses in conjunction with data leaks may increase the likelihood of organisations complying with ransom demands in future incidents. This tactic could be a fear-driven marketing strategy, where the attackers showcase their ruthlessness in an effort to intimidate future victims into paying quickly.”