What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a Frag attack can make a huge difference and help you make a full recovery. Request 24/7 Frag ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frag ransomware statistics & facts

Frag decryptor
Frag IOCs
Frag attack vectors
Case outcomes
How to remove Frag ransomware?
How to recover from Frag ransomware?
Ransom amounts
Frag decryptor

No public decryptor exists for Frag. The hybrid AES-256 + RSA-4096 encryption with private keys held by operators makes decryption impossible without ransom payment.

Frag IOCs

Indicators are identified through Veeam application logs, vulnerability scanning data, new account creation records, and dark web monitoring.

File extensions
.frag (primary), occasionally .Frag or .FRAG (case variations)

Ransom note filenames
RESTORE_YOUR_FILES.txt, README.txt, FRAG_RECOVERY.txt, typically placed in backup directories (/backups, C:\Backups, etc.)

Frag hashes
SHA256 hashes vary across samples; Frag binaries are deployed via Veeam RCE exploitation rather than email distribution. Representative samples have been analyzed by Sophos, Broadcom, and Recorded Future. The actual Frag ransomware binary hash varies with each compilation.

Frag tools
– Veeam exploitation: CVE-2024-40711 RCE payload delivery, Veeam API abuse
– Persistence: Local administrator account creation (point account), registry modification, scheduled tasks in Veeam context
– Backup encryption: Custom Frag binary using AES-256 + RSA-4096
– Lateral movement: Pass-the-hash attacks using newly created admin credentials, Kerberoasting
– C2 communication: HTTPS to Tor .onion site, alternative anonymous communication channels

Most common red flag
Execution of the following sequence in Veeam logs: failed initial vulnerability exploitation attempt, followed by successful admin account creation via ‘net user point [password] /add’, followed by service restart and encryption initiation.

Frag attack vectors

Attack vector

% of Frag incidents

Notes

VPN appliance compromise + Veeam RCE exploitation

70%

Compromised VPN used as entry point to reach Veeam server

Direct Veeam server internet exposure

20%

Veeam management console accessible from internet without authentication

Supply chain / third-party access

10%

Managed service provider with Veeam administrative access

Powered By WP Table Builder
Case outcomes

Frag victims report destruction of entire backup repositories within 2–6 hours of Veeam compromise. Organizations without off-site backups face complete data loss, as the primary recovery mechanism (Veeam) is compromised and encrypted. Documented victims have paid ransoms of $150,000–$2,000,000 depending on the criticality of backup data. One documented healthcare provider paid $800,000 to recover backup catalogs and recovery points. Organizations with immutable, air-gapped backups reported zero ransom payment but recovery costs of $300,000–$1,000,000 due to rebuild complexity.

How to remove Frag ransomware?

1. Immediately isolate all Veeam servers from the network (pull network cables) to prevent further encryption propagation.
2. Preserve forensic images of affected Veeam systems before any remediation to preserve evidence.
3. Boot Veeam servers into safe mode and scan with updated antivirus/EDR tools to locate and remove the Frag binary.
4. Force password resets for all accounts that accessed Veeam infrastructure, including the newly created ‘point’ account.
5. Apply the CVE-2024-40711 security patch to all Veeam Backup & Replication servers immediately.
6. Rebuild Veeam databases from clean backups or fresh installations; do not attempt to decrypt encrypted backup catalogs.
7. Verify firewall rules blocking Veeam management console access from the internet before re-connecting servers.

How to recover from Frag ransomware?

1. Restore VMs and data from immutable, air-gapped backups created before Veeam compromise (if available).
2. If no off-site backups exist, decrypt backup files using Frag decryption keys (if obtained via ransom payment or law enforcement recovery).
3. Rebuild Veeam infrastructure on new hardware with security hardening: restrict management console access, enforce multi-factor authentication, and implement network segmentation.
4. Re-test backup and restore procedures on recovered systems to ensure recovery capability.
5. Implement continuous incremental backups with 3-2-1 backup strategy: 3 copies of data, 2 different storage types, 1 copy off-site and immutable.
6. Deploy network segmentation isolating Veeam infrastructure from general corporate networks.
7. Implement detailed Veeam audit logging and alerting on administrative account creation and backup deletion operations.

Ransom amounts

Frag operators typically demand $150,000–$2,000,000 depending on organization size and backup repository size. Enterprise organizations report demands of $500,000–$1,500,000. Negotiation may reduce initial demands by 30–50%. Payment is demanded in cryptocurrency (Bitcoin or Monero).

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What is Frag ransomware?

Frag is a new ransomware operation that emerged in late 2024, exploiting CVE-2024-40711 (a critical Veeam Backup & Replication deserialization vulnerability) to target enterprise backup infrastructure. Rather than using traditional file-based encryption, Frag specifically targets backup servers, backup catalogs, and recovery points to eliminate organizations’ primary recovery mechanism. Once backup infrastructure is destroyed, organizations have no option but to pay ransoms or accept permanent data loss.

Where is Frag gang located?

Attribution is limited; Frag operators are suspected to be based in Eastern Europe or the CIS region based on operational patterns and infrastructure, but no definitive geolocation has been established.

How does Frag ransomware work?

Frag attacks begin with VPN appliance compromise (phishing, credential theft, or unpatched vulnerabilities). Attackers pivot from the VPN to the internal network, locate the Veeam Backup & Replication server, and exploit CVE-2024-40711 to execute arbitrary code on the Veeam system without credentials. Once code execution is achieved, attackers create a persistent administrative account (typically named ‘point’), install the Frag ransomware binary, and encrypt all backup files, backup catalogs, and recovery points. Ransom demands follow within 24 hours.

How long do Frag attacks last?

From VPN compromise to backup encryption completion, Frag attacks typically span 4–12 hours. VPN compromise to Veeam discovery may take hours; CVE-2024-40711 exploitation is rapid (minutes); backup encryption spans 2–6 hours depending on backup repository size and network bandwidth.

Can Frag ransomware be deleted or decrypted?

Frag-encrypted backup files cannot be decrypted without the private RSA-4096 key held by operators. Deletion of the malware stops further encryption but does not recover encrypted backups. Recovery requires either paying the ransom for the decryption key or restoring from a second backup system that was not compromised.

What happens when infected?

When Frag compromises your Veeam infrastructure, all backup files, catalogs, and recovery points are encrypted and become inaccessible. Your ability to restore VMs, recover deleted files, or recover from other ransomware attacks is completely eliminated. A ransom note appears in backup directories, and operators contact you via a Tor website, demanding payment for decryption. You face a choice: (1) pay a large ransom with no guarantee of key delivery, or (2) restore from another backup system (if available) or pay recovery firms to rebuild systems from scratch.

How can it be prevented?

Prevent Frag attacks by: (1) immediately patching all Veeam Backup & Replication servers to the latest version with CVE-2024-40711 fix; (2) restricting Veeam management console access to internal networks only (never expose to internet); (3) implementing strong authentication and multi-factor authentication on Veeam administrative accounts; (4) securing VPN appliances with strong passwords, MFA, and regular patching; (5) maintaining immutable, air-gapped backups on separate storage infrastructure; (6) implementing network segmentation isolating backup infrastructure from general corporate networks; (7) deploying EDR solutions with behavioral detection for backup encryption and administrative account creation; and (8) conducting regular security audits of backup infrastructure.

What is a ransomware prevention checklist?

– Patch all Veeam Backup & Replication servers immediately (CVE-2024-40711 and all other patches)
– Restrict Veeam management console access to internal networks only; block internet access
– Implement multi-factor authentication on all Veeam administrative accounts
– Enforce strong, unique passwords (minimum 16 characters) for all Veeam accounts
– Implement network segmentation isolating backup infrastructure on a dedicated VLAN
– Deploy immutable backup storage with write-once, read-many (WORM) capabilities
– Implement 3-2-1 backup strategy: 3 copies of data, 2 different storage types, 1 copy off-site
– Test backup restoration monthly from all backup systems to ensure recovery capability
– Enable and monitor Veeam audit logging for administrative actions and backup deletions
– Implement EDR solutions on Veeam servers with behavioral detection for encryption and account creation
– Conduct quarterly vulnerability scanning of backup infrastructure
– Restrict VPN access and force password resets on all VPN accounts
– Implement multi-factor authentication on all VPN endpoints

What is CVE-2024-40711 and why is it critical?

CVE-2024-40711 is a critical (CVSS 9.8) remote code execution vulnerability in Veeam Backup & Replication caused by unsafe deserialization of untrusted data. The vulnerability allows unauthenticated attackers to execute arbitrary code on the Veeam server by sending a specially crafted network packet, leading to complete compromise of backup infrastructure. Because Veeam is critical to business recovery, compromising Veeam infrastructure eliminates the organization’s primary recovery mechanism, making ransom payment far more likely.

Why do Frag specifically target Veeam instead of just encrypting files?

Frag’s focus on Veeam infrastructure is strategically superior to traditional file encryption. By destroying backups, Frag eliminates the primary recovery mechanism organizations depend on, making business continuation impossible without paying the ransom. Additionally, Veeam servers typically contain metadata about the entire IT infrastructure, allowing attackers to map and exfiltrate sensitive data across the organization. This makes Frag attacks far more damaging and raises ransom demands to $500,000–$2,000,000 vs. typical file encryption demands of $50,000–$200,000.