Wazuh has advised its users on “DOGE Big Balls,” a recently identified ransomware variant linked to the “Fog” ransomware group. First observed in early 2025, DOGE Big Balls gained notoriety after making international headlines with ransom demands that reached $1 trillion in Dogecoin—a deliberately satirical sum that underscored the group’s intent to provoke and destabilize rather than just extort.
The ransomware, which cyberanalysts have likened to “trolling as a service,” was named in reference to Elon Musk’s demand for federal workers to email the Department of Government Efficiency (DOGE) with five bullet points on what they had accomplished in the previous week. The “Big Balls” moniker is the nickname of a graduate software engineer who worked as a senior advisor in the department.
Victims have reported not only file encryption but also public shaming attempts, ransom notes, and threats of data leaks—even in cases where data exfiltration could not be confirmed. The goal appears to be psychological pressure through humiliation and destabilization, amplifying the reputational impact of each attack. The malware has already disrupted operations across sectors, including finance, education, and tech.
The ransomware is delivered through phishing emails containing ZIP archives that trigger PowerShell scripts. Once executed, DOGE Big Balls exploits vulnerable drivers to achieve privilege escalation, performs extensive system reconnaissance, and encrypts user files while sparing core Windows OS directories. It also drops provocative ransom notes and stores reconnaissance logs for potential exfiltration.
-
Privilege escalation: It exploits vulnerable drivers, such as iqvw64e.sys, to gain kernel-level access without triggering security alerts.
-
Reconnaissance: The ransomware collects detailed system information by executing a series of reconnaissance commands such as systeminfo, net config Workstation, ipconfig /all, and whoami. The output of these commands is written to a log file named DbgLog.sys, which is stored locally before potential exfiltration. This behavior allows the attackers to profile the victim’s environment and assess the value of the compromised system.
Wazuh detects DOGE Big Balls through a suite of custom Sysmon-based rules, which identify reconnaissance commands, suspicious firewall queries, and the creation of known ransomware artifacts. Behavioral detection rules are mapped to MITRE techniques such as T1486 (Data Encrypted for Impact).
For technical guidance and rule configuration, visit the Wazuh blog or join the Wazuh Slack community.
