Ransomware has evolved to become one of the most sophisticated threats in today’s cybersecurity landscape, with each new strain incorporating unique tactics to bypass defences and maximise damage. Recently, a new ransomware strain, dubbed Frag, has emerged, showcasing a chillingly direct approach to ensure compliance with its demands. With its .frag file extension and a distinctively intimidating ransom note, Frag ransomware uses a combination of psychological manipulation and technical sophistication to coerce victims into engagement.

This post will explore Frag ransomware in depth, examining the tactics, techniques, and procedures (TTPs) it employs, along with the trend of “living off the land” (LOLBins) that makes it increasingly challenging for organisations to detect. By understanding these methods, organisations can better position themselves to defend against similar attacks and reduce the likelihood of a successful compromise.

The Frag Ransomware Threat

Frag, a relatively new group (of which there are seemingly more than ever appearing these days), has a somewhat unique ransom note, which is strikingly straightforward in its intent.

Frag is here!

If you are a regular employee, manager or system administrator, do not delete/ignore this note or try to hide the fact that your network has been compromised from your senior management. This letter is the only way for you to contact us and resolve this incident safely and with minimal loss.

We discovered a number of vulnerabilities in your network that we were able to exploit to download your data, encrypt the contents of your servers, and delete any backups we could reach. To find out the full details, get emergency help and regain access to your systems,

All you need is:

1. Tor browser (here is a download link: https://www.torproject.org/download/
2. Use this link to enter the chat room – wwt74tr4a2hnwztj3togejqivuc3u37axhh7wtsozhkblzgnmkbereqd.onion
3. Enter a code ( ) to sign in.
4. Now we can help you.
We recommend that you notify your upper management so that they can appoint a responsible person to handle negotiations. Once we receive a chat message from you, this will mean that we are authorised to pass on information regarding the incident, as well as disclose the details inside the chat. From then on, we have 2 weeks to resolve this privately.

We look forward to receiving your messages.

That tor site looks like so:

It doesn’t just urge victims to contact the attackers; it explicitly warns employees not to hide the incident from management. With lines like, “do not delete/ignore this note or try to hide the fact that your network has been compromised from your senior management,” the attackers aim to instil a sense of urgency and fear.

Whilst this is not necessarily new, it does play on the psychological aspect of ransom attacks where you are scared to the others know that it had happened.

The note instructs victims to download the Tor browser and enter a designated chat room using a unique code to initiate contact. This controlled communication method underscores the sophistication of the operation, ensuring that communication remains private, untraceable, and exclusively through the Tor network.

Frag’s language serves as an implicit threat: by following the instructions, the organisation could minimise its losses. By subtly implying that non-compliance might escalate the damage, the ransomware operators cleverly exploit natural fears in compromised organisations, particularly among lower-level employees and administrators who may feel they are personally responsible.

Initial Access and Targeting

The ransomware group behind Frag appears to follow a playbook, similar to that of other well-known strains like Akira and Fog. Frag ransomware is likely to exploit specific vulnerabilities within networks to gain initial access. While the exact vulnerabilities vary, attackers often capitalise on weaknesses that are left unpatched, along with misconfigurations in backup and storage solutions.

One of Frag’s primary tactics is targeting backups. Attackers focus on accessing and erasing any backups they find, leaving the organisation with few options besides engaging with them. This focus on disabling or corrupting backup systems removes a critical safety net for organisations, giving Frag ransomware operators more leverage in negotiations.

Tactics, Techniques, and Procedures (TTPs) of Frag Ransomware

Frag’s operators leverage several tools and techniques to escalate their attack once inside a network, many of which are hallmarks of other sophisticated ransomware campaigns:

Targeting Veeam Services & Using Cloudflare Tunnels

Frag ransomware has demonstrated a preference for targeting Veeam backup solutions, aiming to delete or corrupt any reachable backup files. By disabling backup infrastructure, attackers further corner the organisation into paying the ransom to avoid permanent data loss.

Additionally, the use of Cloudflare Tunnels allows attackers to create encrypted channels, which can bypass traditional firewall restrictions and maintain persistence on compromised networks. This tactic enables them to securely communicate with compromised machines without triggering network security controls.

LOLBins in Action: WinRAR, WinSCP, and RougeKiller

LOLBins (living off the land binaries) are legitimate software tools that are often already installed on systems, and Frag’s operators use them to evade detection:

• WinRAR and WinSCP: Frag operators use WinRAR for compressing and archiving files before exfiltration, while WinSCP enables them to transfer these files from compromised systems. Both tools help attackers avoid triggering alarms associated with custom-built exfiltration scripts.
• EDRkillers: we’ve seen some gangs explored the use of the current wave of EDR killing scripts being released, such as https://github.com/lkarlslund/nifo and Aukill https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/?amp=1

Since early 2023, the latter tool has been weaponized in at least three ransomware attacks to cripple target defences and launch ransomware. In January and February, attackers deployed Medusa Locker ransomware using the tool, and in February, AuKill was used just before unleashing Lockbit

AuKill, by contrast, abuses Process Explorer microsoft signed driver (PROCEXP.SYS). Threat actors have been increasingly exploiting vulnerable drivers to disable security tools such as EDRs. Drivers are low-level system components running within the Windows kernel with access to critical security structures in kernel memory.

To bypass this security feature, attackers need to either find a way to get a malicious driver signed by a trusted certificate or, more commonly, exploit a legitimate commercial software driver in what is known as a BYOVD (Bring Your Own Vulnerable Driver) attack.

In this instance, the attackers leveraged a driver that was both created and signed by Microsoft. Specifically, they exploited the Process Explorer driver, which is part of the Sysinternals suite of administrative tools.
Sophos and other security vendors have reported multiple incidents where Backstab or similar drivers were misused for malicious purposes.

To mitigate risk, Windows uses a security feature called Driver Signature Enforcement, which requires kernel-mode drivers to be signed by a valid code signing authority before they are allowed to run. This signature acts as a verification of trust, confirming the identity of the software and protecting the user’s system.

As attackers see the benefit of BYOVD, and indeed many vendors still struggle with ensuring they are secure, this will continue to be a juice TTP used by ransomware crews in years to come.
By using tools like these, attackers can easily execute ransomware and to evade detection — but Agger is built differently. Designed to withstand BYOVD tactics, Agger thwarts these attempts, ensuring our defences remain intact where others might fall.

These tools exemplify the growing trend of ransomware operators adopting legitimate and illegitimate software in their workflows, helping them remain undetected by leveraging trusted software that is often left unchecked by security measures.

Living Off the Land (LOLBins) and Current Ransomware Trends

A key reason for Frag ransomware’s stealth is its reliance on LOLBins, a tactic widely adopted by more traditional threat actors. By using familiar, legitimate software already present within most networks, attackers can conduct malicious operations while bypassing endpoint detection systems.Whilst this is certainly not new in the threat actor space, it does show how ransomware crews are adapting their approaches.

LOLBins, or “living off the land” binaries, are non-malicious programs that attackers use to blend into a system’s environment. These tools come pre-installed on operating systems or are common software tools that organisations use daily. For ransomware operators, LOLBins reduce the need for custom malware and allow for flexibility, as their actions appear less suspicious.

The use of LOLBins isn’t unique to Frag; ransomware strains like Akira and Fog have employed similar strategies, focusing on blending into normal network activity and hiding in plain sight. By using LOLBins, these operators exploit trusted software for malicious purposes, increasing the difficulty of timely detection.

Benefits of LOLBins for Attackers

Using LOLBins help attackers evade both detection and sandboxing efforts. Because these binaries are widely trusted, it is challenging for most security tools to distinguish between legitimate and malicious actions. LOLBins also give attackers flexibility, enabling them to tailor their tactics based on the environment they encounter, effectively making each attack more adaptable.

Defending Against Frag Ransomware and LOLBins Exploitation

With attackers increasingly relying on LOLBins, traditional security approaches are no longer sufficient. Organisations need to adopt layered defences to mitigate the risks posed by Frag ransomware and similar threats, namely:

Vulnerability Management and Patching – Implement regular vulnerability assessments, particularly focusing on backup solutions in use by your organisationm. Attackers often exploit unpatched systems or misconfigurations. Patch management processes should include prioritising high-risk applications and regularly evaluating backup infrastructure for security.

Monitoring for LOLBin Usage – Set up behavioural monitoring for abnormal usage patterns of tools like WinRAR, WinSCP, and Cloudflare Tunnels. Has that user ever used them before? If not, this is a red flag. While these tools are common, excessive or unusual activity could indicate compromise. Advanced threat detection solutions that can identify anomalous behaviour in legitimate tools offer an additional layer of security.

Strengthening Backup Security – “Air-Gap” Isolating backups from the primary network is crucial and helps make life miserable for ransomware gangs. Employ strict access controls and network segmentation to prevent attackers from reaching backup files. Additionally, consider employing immutable backup solutions that prevent deletion or alteration of backup data.

Awareness and Training -Implement awareness programs that encourage employees to report incidents promptly. In Frag’s ransom note, the attackers suggest victims hide the incident, potentially escalating the damage. Training employees on best practices and the importance of quick incident reporting can help minimise damage.

Conclusion

Frag ransomware approach illustrates the increasing sophistication of modern ransomware threats. By using known vulnerabilities, targeting backup systems, and leveraging LOLBins to evade detection, Frag operators exemplify the advanced tactics today’s attackers employ. Organisations must adopt a proactive stance, combining advanced technical defences with ongoing awareness training to effectively combat these evolving threats.

The use of LOLBins signifies a strategic shift in ransomware campaigns, one that underscores the importance of understanding not just the tools attackers use but also the broader context of their methods. As threats continue to evolve, so too must our defences. Investing in a layered approach to cybersecurity that addresses both technical and human factors will be essential for organisations aiming to safeguard against ransomware in the years to come.

Agger is built to disrupt ransomware operators at every turn. With a security-first design in our code, infrastructure, and logic, it’s no easy task for attackers to sidestep. Unlike other solutions, Agger isn’t just something they can switch off without getting noticed.

Want to learn more? Get in touch.