IronSights

Incident response · Fog ransomware

Fog ransomware goes for the backups first, then the classrooms notice.

Fog made its Australian mark in December 2024 when it listed Waverley Christian College in Victoria, and education remains its favourite hunting ground worldwide, usually entered through compromised VPN credentials. It deletes the backups it can reach before encrypting, which is exactly why the first hour matters so much.

Recognise it

How to confirm it is Fog.

Before anything else, keep the encrypted files and every ransom note exactly where they are. They identify the strain, and they are often the raw material a recovery works from.

File extension
.fog or .flocked appended to encrypted files (the extension is operator-configurable, so variants exist)
Ransom note
readme.txt in affected folders, linking to a Tor negotiation site with a chat interface
First seen
May 2024, with roughly 80 per cent of early victims in the education sector
Australian footprint
Listed Waverley Christian College (around 2,270 students) in December 2024, claiming about 5 GB of data including financial and insurance records

Behaviour

What Fog does to your systems.

Enters through VPN credentials

Compromised or purchased VPN credentials are the standard entry, which is why remote access without multi-factor authentication is the single biggest Fog risk factor.

Backups attacked first

Fog deletes Windows volume shadow copies and goes after backup platforms, including object storage used by Veeam, before triggering encryption.

Virtual machines in scope

It encrypts virtual machine disk files in VM storage, so a school or business running on a small virtualised stack can lose every server at once.

Double extortion

Data is stolen for leverage and listed on a leak site if negotiation fails, which is how the Waverley incident became public.

Education-heavy targeting

Schools combine sensitive data about children with small IT teams, and Fog's victim list reflects that arithmetic deliberately.

Fast, broad encryption

Documents, databases and backups are encrypted quickly across reachable shares. Speed over thoroughness is the consistent trade in modern strains, and it is the trade recovery exploits.

The honest answer

Can Fog-encrypted files be recovered?

The starting point is what survived its backup hunt: offline or immutable backups Fog could not reach, and snapshots outside its grasp remain the fastest path back. Check before trusting them, because backups taken while the attackers were inside can carry their access with them.

Where the backups are gone, the encrypted files themselves still deserve assessment. Fog moves fast across large estates, and fast encryption of large structured files (databases, virtual disks) routinely leaves substantial data intact beneath the damage. Whether that holds in your incident depends on the build and configuration, which a sample of encrypted files tells us quickly. There is no public decryptor for Fog, so paths that do not depend on the attacker are the ones worth working.

Keep every encrypted file, keep the readme.txt notes, take whatever backups survived offline, and get an assessment before any machine is rebuilt. For a school, we work the parent-communication and notification questions alongside the technical recovery.

Common questions

Fog, in plain terms.

Mid-incident and need a straight answer? Call 1300 004 766. A person answers, 24 hours a day.

  1. What is the .fog / .flocked file extension?

    Files renamed to .fog or .flocked have been encrypted by the Fog ransomware operation, active since May 2024 and heavily focused on the education sector. The extension is configurable by the operator, so variants appear, but the readme.txt note and Tor negotiation link are consistent markers. Keep the files and notes in place; they identify the build.

  2. Is there a free decryptor for Fog?

    No. There is no public decryptor for Fog. The realistic paths are backups it could not reach, surviving snapshots, partial-encryption recovery of large files, and rebuilding from source systems. Payment sits last, funds the offender, and in Australia carries its own 72-hour reporting obligation for businesses over $3 million turnover.

  3. We're a school. What does a Fog incident mean for us?

    Beyond recovery, an information duty. Schools hold enrolment, welfare, medical and family court information, and the Notifiable Data Breaches scheme requires prompt assessment where serious harm is likely. The December 2024 Waverley Christian College incident is the local template: the school confirmed the incident and notified both the ACSC and the OAIC. Preserved evidence is what lets you say accurately what was accessed, to the regulator and to parents.

  4. Fog encrypted our virtual machines. Is anything recoverable?

    Virtual machine disks are large structured files, which makes them among the better candidates for partial-encryption recovery when backups are gone. Do not delete the datastores or recreate the VMs; the encrypted VMDK files are where the surviving data lives, and an assessment of a few samples shows quickly how much is intact.

  5. What should we do in the first hour?

    Disconnect affected machines from the network but keep them powered on, keep every encrypted file and note, take surviving backups offline, and start a timeline. Do not rebuild or run cleanup tools. Then call 1300 004 766, answered by a person 24 hours a day, and hand our one-page First-Response Guide to whoever is helping you.

Right now

The first hours decide what can be saved.

Isolate the machines, keep the encrypted files, take backups offline, and call before anything gets rebuilt. Australian incident response, answered by a real person.