Breach Monitoring News Feed

Fargo is a ransomware variant that surfaced in 2022, primarily targeting Microsoft SQL Server (MSSQL) systems. Believed to be a variant of the TargetCompany ransomware family, Fargo uses brute-force or credential-stuffing attacks on exposed MSSQL instances to gain access, then executes payloads via SQL Server commands. Once deployed, it encrypts files using a combination of symmetric and asymmetric algorithms, appends the .Fargo3 (or similar) extension, and drops a ransom note directing victims to contact operators via email. It also attempts to delete system backups and shadow copies to prevent recovery. Fargo has been observed targeting organizations in multiple sectors, with a concentration of victims in South Korea and other parts of Asia.

Faust is a variant of the well-known Phobos ransomware, part of a Ransomware-as-a-Service (RaaS) ecosystem active since around May 2019. Faust employs a double-extortion model, encrypting victim files and threatening to release stolen data if ransom demands are not met. It's distributed via Office document payloads using VBA scripts and known for its fileless attack delivery, enabling stealth and evasion.

FiveHands is a ransomware family first observed in January 2021, believed to be a successor to the HelloKitty ransomware variant. It operates under a Ransomware-as-a-Service (RaaS) model and uses the double-extortion tactic, encrypting files while threatening to leak stolen data via a Tor-based site. FiveHands is written in C# and leverages the NTRUEncrypt algorithm for file encryption alongside Curve25519 for key exchange. The ransomware is commonly deployed via Malwarebytes SombRAT or Cobalt Strike beacons after initial compromise, often gained through exploitation of vulnerable VPNs, phishing, or compromised credentials. FiveHands has targeted organizations in healthcare, finance, and manufacturing across North America, Europe, and Asia.

Fog is a sophisticated ransomware strain first observed in April–May 2024, initially targeting U.S. educational institutions before expanding into sectors such as government, business services, finance, and manufacturing. The group conducts fast, double-extortion attacks: they exploit compromised VPN credentials or known vulnerabilities, deploy encryption (notably using extensions like .fog, .FLOCKED), and exfiltrate data prior to encryption to maximize victim pressure. Fog is associated with other prolific actors—such as Akira and Conti—through shared tooling, infrastructure timelines, and even cryptocurrency wallets.

Frag is a relatively new ransomware and data extortion group first seen in February 2025. The group operates a dedicated Tor-based leak site where it publishes victim details, including sector, location, and sample stolen files, as part of its double-extortion strategy. Within its first month of activity, Frag claimed over two dozen victims, spanning industries such as manufacturing, aviation, real estate, retail, and legal services, with a global footprint including the United States, the Netherlands, and Singapore. Intrusion methods have included exploitation of known vulnerabilities—such as the Veeam Backup & Replication flaw CVE-2024-40711—and compromised remote access appliances. The group’s operations and targeting style suggest experienced actors, possibly with past involvement in other ransomware projects.

FreeWorld is a ransomware variant first observed in September 2023, and is believed to be derived from the Mimic ransomware family. It is deployed through coordinated campaigns dubbed DB#JAMMER, which exploit poorly secured Microsoft SQL (MSSQL) servers exposed to the internet. Attackers gain initial access via brute force, leverage the xp_cmdshell feature to execute shell commands, disable defenses, deploy remote access tools like Cobalt Strike and AnyDesk, and eventually deliver the FreeWorld payload. The ransomware encrypts files using hybrid encryption and appends the .FreeWorldEncryption extension. Victims receive a ransom note titled FreeWorld-Contact.txt, directing them on payment and data recovery steps.

This group is also known by their malware name, FLOCKER. FSociety is a modern Ransomware-as-a-Service (RaaS) operation that emerged around 2024, named after the fictional hacking collective from Mr. Robot. It runs a double-extortion setup—encrypting victims’ data while simultaneously threatening to leak stolen files via a Tor-hosted portal. Organized campaigns suggest collaborative operations with other cybercrime actors, marking it as a part of a growing ransomware cartel ecosystem.

FTCode is a ransomware family first observed in 2013 as a PowerShell-based threat and later resurfaced in September 2019 with enhanced capabilities. It is notable for being fileless, executing entirely in memory using PowerShell scripts, which allows it to evade traditional antivirus detection. FTCode is commonly delivered via malicious email campaigns, often using phishing attachments such as Word documents with embedded macros that execute the ransomware script. It encrypts files using the AES algorithm and appends the .FTCODE extension, leaving ransom notes instructing victims to contact the operators via email. Later variants added capabilities such as stealing credentials from browsers and email clients. FTCode campaigns have been observed globally, with a focus on Europe, particularly Italy.