Fog ransomware attack on Asia financial org draws attention over use of employee monitoring software

A cyberattack on a financial institution in Asia last month featuring the Fog ransomware has made a splash among researchers and incident responders due to the unusual tools and tactics involved. 

Researchers at Symantec said the hackers used a legitimate employee monitoring software called Syteca — something they have never seen in a ransomware attack before. The actors also used several open-source pentesting tools that are also not typically deployed in advance of ransomware deployment.

Brigid O Gorman, senior intelligence analyst at Symantec, told Recorded Future News that they did not have enough evidence to link the attack to any specific nation state. But O Gorman said the “slightly unusual elements of this attack — the use of unusual tools, and establishing persistence after the ransomware is deployed — point to it being more than just a 'usual' ransomware attack.”

The report notes that the use of the GC2 penetration testing tool, which allows an attacker to execute commands on target machines using Google Sheets or Microsoft SharePoint List and exfiltrate files using Google Drive or Microsoft SharePoint documents.

Symantec said the tool “is not something we have seen used in ransomware attacks before, though it was used in an attack carried out by Chinese nation-state backed actor APT41 in 2023.”

The other factor that raised concerns among incident responders was that after the ransomware was deployed, the attacker made an effort to establish persistence. In most ransomware attacks, the malicious activity typically ends on a network once the hackers have stolen data and deployed the ransomware. 

The attackers in this instance “appeared to wish to retain access to the victim’s network.”

“These factors mean it could be possible that this company may in fact have been targeted for espionage purposes, with the ransomware attack merely a decoy, or perhaps also deployed in an attempt by the attackers to make some money while also carrying out their espionage activity,” Symantec experts said. 

There have been multiple incidents across Asia and Oceania over the last three years where ransomware was used as a decoy for espionage attacks launched by Chinese nation-state hackers, including incidents affecting the government of Palau. 

Onscreen recording

Incident responders are unsure of how the attack on the financial institution began but noted that two of the infected machines were Microsoft Exchange servers. Due to longstanding vulnerabilities, Microsoft Exchange servers are a common entry point for ransomware attackers, Symantec said. 

The attackers spent two weeks on the victim’s network before deploying the ransomware. 

Symantec researchers are still unsure of the role Syteca played in the attack, but it is widely used legitimately by businesses attempting to monitor employees and limit their access. Many businesses use Syteca to record an employee’s onscreen activity, track keystrokes and more. 

James Maude, field CTO at security company BeyondTrust, said threat actors typically use legitimate commercial software during attacks to reduce the chances that their intrusions are detected by security tools. 

“This tactic also allows them to focus more on socially engineering users and harvesting credentials than writing malicious code,” Maude said. “These techniques are especially effective in environments where users have local administrator privileges and uncontrolled application installations.”

Symantec theorized that it was used for information stealing or spying, the most likely reasons attackers would deploy it during an incident. The attackers in this incident also made an effort to delete evidence of their activity. 

“The Syteca client and GC2 tool are not tools we have seen deployed in ransomware attacks before,” the researchers said. “The attackers establishing persistence on a victim network having deployed the ransomware is also not something we would typically see in a ransomware attack.”

Fog ransomware first emerged in May 2024 and focused on targetingeducational institutions in the U.S., including a large-scale attack on the University of Oklahoma. The group behind the ransomware drew headlines in April when incident responders said they saw phishing emails and ransom notes referencing Elon Musk’s Department of Government Efficiency (DOGE) in an effort to mock victims.