A ransomware gang is channeling Elon Musk’s Department of Government Efficiency by taunting victims with ransom notes that demand to know what they’ve “accomplished for work” in the last week.
The FOG ransomware group has been distributing the DOGE-themed notes in recent weeks, according to malware samples that cybersecurity vendor Trend Micro discovered on the file-scanning service VirusTotal. “We observed that these samples initially dropped a note containing key names related to the Department of Government Efficiency (DOGE),” Trend Micro says.
The ransom notes also allude to Edward Coristine, who uses the online alias “Big Balls.” He reportedly has a history with cybercriminal groups, but was still appointed to Musk’s DOGE team. A separate cybersecurity firm, Cyble, spotted the same attack generating a pop-up on computers that says “DOGE BIG BALLS RANSOMWARE.”
(Credit: Cyble)
The FOG ransomware gang appears to be spreading its attack through phishing emails with an attachment titled “Pay Adjustment.zip.” If opened, the attachment will download and execute a PowerShell script designed to load the ransomware loader in “cwiper.exe,” along with other malicious programs.
“It also opens politically themed YouTube videos and includes written political commentary directly in the script,” Trend Micro notes. The attack is designed to gather data on the victim’s PC before encrypting the files, and then leaving a ransom note, demanding the victim pay approximately $1,000 in the Monero cryptocurrency.
According to Cyble, the ransom note, titled RANSOMNOTE.txt, introduces the threat actor as “Edward Coristine,” and lists his purported home address and phone number. The note then echoes Elon Musk’s recent emails to federal workers and demand that victims justify their productivity by listing their weekly accomplishments.
(Credit: Cyble)
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
“Give me five bullet points on what you accomplished for work last week or you owe me a TRILLION dollars,” the ransom note from the FOG gang says.
“The use of Coristine’s name and the ‘DOGE’ reference in the ransomware could be a tactic to malign him and the DOGE initiative,” Cyble adds.
Recommended by Our Editors
In the ransom note, the FOG group also claims they’ll decrypt the files for free, but only if the victim spreads the ransomware attack to another victim.
“FOG ransomware is a relatively new ransomware family that enterprises must add to their watchlist,” Trend Micro warns. The gang claims to have attacked over 100 victims, including organizations in the education, manufacturing, and transportation sectors, since January.
Meanwhile, the official “what did you do this week” emails from DOGE are reportedly a bust. The Washington Post reports that the Office of Personnel Management basically told HR officials across the government that the emails are voluntary and that the agency didn’t plan to do anything with the emails that were submitted.
About Michael Kan
Senior Reporter
Read the latest from Michael Kan
This article was published by WTVG on 2025-04-22 11:57:00
View Original Post
