The attackers maintained access to the firm's network for a prolonged reconnaissance phase, indicating a calculated strategy that is uncommon in typical ransomware incidents.

This incident highlights the necessity for businesses to remain vigilant against unusual attack methodologies and to recognize emerging tactics.

In April 2025, the attackers shifted their tactics to email-based infections, using ransom notes that mocked Elon Musk's DOGE agency and encouraged victims to spread the infection for free decryption.

In May 2025, Fog ransomware operators targeted an Asian financial firm, employing an unusual combination of legitimate tools and open-source utilities.

Additionally, attackers utilized GC2 for command and control through platforms like Google Sheets or SharePoint, further supporting the notion of espionage activities.

By late 2024, attackers took advantage of a critical vulnerability in Veeam VBR, identified as CVE-2024-40711, which carries a high CVSS score of 9.8.

The tools utilized in these attacks included Syteca monitoring software, along with pentesting tools like GC2, Adaptix, and Stowaway, which are rarely seen in ransomware campaigns.

Researchers speculate that the atypical toolset and the establishment of post-ransomware persistence suggest the incident may have espionage motives, with ransomware serving as a secondary goal.

Symantec noted that the libraries loaded by Syteca indicate it was likely used for information gathering or spying, given its capabilities.

Fog ransomware, which has been active since at least mid-2024, initially targeted U.S. schools and has evolved to exploit compromised VPN credentials and vulnerable Veeam Backup & Replication servers.

In a recent attack, the perpetrators compromised the network two weeks before deploying the ransomware, infecting two Exchange servers during this period.

While the initial infection vector remains unclear, experts suspect that Exchange Servers played a role in the breach.