Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Frag ransomware recovery team on standby
Frag ransomware emerged in late 2024 exploiting CVE-2024-40711, a critical unauthenticated RCE flaw in Veeam Backup & Replication, specifically targeting enterprise backup infrastructure to maximize ransom leverage. Do not attempt recovery alone — isolate affected systems and contact UnderDefense immediately to contain the attack and preserve evidence.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Frag attack can make a huge difference and help you make a full recovery. Request 24/7 Frag ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Watch for Frag’s indicators of compromise: .frag file extensions on encrypted files, evidence of new administrative accounts (often named ‘point’), CVE-2024-40711 exploitation attempts in Veeam logs, suspicious Veeam service restarts, and ransom notes appearing in backup directories. The malware targets backup infrastructure specifically to eliminate recovery options.
Rather than relying on pre-existing backdoors, Frag directly exploits a critical Veeam RCE flaw, allowing attackers to execute arbitrary code on backup servers without prior compromise or credentials.
Encrypts backup files, backup catalogs, and recovery points using symmetric encryption for speed and public-key encryption for security, rendering all backup-based recovery options useless.
Frag specifically targets Veeam servers because destruction of backup infrastructure prevents the primary recovery mechanism organizations depend on, making ransom payment more likely.
Creates new local administrator accounts (typically named 'point') on compromised Veeam servers to establish persistence, allowing re-entry even after vulnerability patches.
Ransom notes typically appear in backup repository directories and system root, directing victims to contact operators via Tor for decryption and recovery services.
No public decryptor exists for Frag. The hybrid AES-256 + RSA-4096 encryption with private keys held by operators makes decryption impossible without ransom payment.
Indicators are identified through Veeam application logs, vulnerability scanning data, new account creation records, and dark web monitoring.
File extensions
.frag (primary), occasionally .Frag or .FRAG (case variations)
Ransom note filenames
RESTORE_YOUR_FILES.txt, README.txt, FRAG_RECOVERY.txt, typically placed in backup directories (/backups, C:\Backups, etc.)
Frag hashes
SHA256 hashes vary across samples; Frag binaries are deployed via Veeam RCE exploitation rather than email distribution. Representative samples have been analyzed by Sophos, Broadcom, and Recorded Future. The actual Frag ransomware binary hash varies with each compilation.
Frag tools
– Veeam exploitation: CVE-2024-40711 RCE payload delivery, Veeam API abuse
– Persistence: Local administrator account creation (point account), registry modification, scheduled tasks in Veeam context
– Backup encryption: Custom Frag binary using AES-256 + RSA-4096
– Lateral movement: Pass-the-hash attacks using newly created admin credentials, Kerberoasting
– C2 communication: HTTPS to Tor .onion site, alternative anonymous communication channels
Most common red flag
Execution of the following sequence in Veeam logs: failed initial vulnerability exploitation attempt, followed by successful admin account creation via ‘net user point [password] /add’, followed by service restart and encryption initiation.
Attack vector | % of Frag incidents | Notes |
VPN appliance compromise + Veeam RCE exploitation | 70% | Compromised VPN used as entry point to reach Veeam server |
Direct Veeam server internet exposure | 20% | Veeam management console accessible from internet without authentication |
Supply chain / third-party access | 10% | Managed service provider with Veeam administrative access |
Frag victims report destruction of entire backup repositories within 2–6 hours of Veeam compromise. Organizations without off-site backups face complete data loss, as the primary recovery mechanism (Veeam) is compromised and encrypted. Documented victims have paid ransoms of $150,000–$2,000,000 depending on the criticality of backup data. One documented healthcare provider paid $800,000 to recover backup catalogs and recovery points. Organizations with immutable, air-gapped backups reported zero ransom payment but recovery costs of $300,000–$1,000,000 due to rebuild complexity.
1. Immediately isolate all Veeam servers from the network (pull network cables) to prevent further encryption propagation.
2. Preserve forensic images of affected Veeam systems before any remediation to preserve evidence.
3. Boot Veeam servers into safe mode and scan with updated antivirus/EDR tools to locate and remove the Frag binary.
4. Force password resets for all accounts that accessed Veeam infrastructure, including the newly created ‘point’ account.
5. Apply the CVE-2024-40711 security patch to all Veeam Backup & Replication servers immediately.
6. Rebuild Veeam databases from clean backups or fresh installations; do not attempt to decrypt encrypted backup catalogs.
7. Verify firewall rules blocking Veeam management console access from the internet before re-connecting servers.
1. Restore VMs and data from immutable, air-gapped backups created before Veeam compromise (if available).
2. If no off-site backups exist, decrypt backup files using Frag decryption keys (if obtained via ransom payment or law enforcement recovery).
3. Rebuild Veeam infrastructure on new hardware with security hardening: restrict management console access, enforce multi-factor authentication, and implement network segmentation.
4. Re-test backup and restore procedures on recovered systems to ensure recovery capability.
5. Implement continuous incremental backups with 3-2-1 backup strategy: 3 copies of data, 2 different storage types, 1 copy off-site and immutable.
6. Deploy network segmentation isolating Veeam infrastructure from general corporate networks.
7. Implement detailed Veeam audit logging and alerting on administrative account creation and backup deletion operations.
Frag operators typically demand $150,000–$2,000,000 depending on organization size and backup repository size. Enterprise organizations report demands of $500,000–$1,500,000. Negotiation may reduce initial demands by 30–50%. Payment is demanded in cryptocurrency (Bitcoin or Monero).
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowFrag is a new ransomware operation that emerged in late 2024, exploiting CVE-2024-40711 (a critical Veeam Backup & Replication deserialization vulnerability) to target enterprise backup infrastructure. Rather than using traditional file-based encryption, Frag specifically targets backup servers, backup catalogs, and recovery points to eliminate organizations’ primary recovery mechanism. Once backup infrastructure is destroyed, organizations have no option but to pay ransoms or accept permanent data loss.
Attribution is limited; Frag operators are suspected to be based in Eastern Europe or the CIS region based on operational patterns and infrastructure, but no definitive geolocation has been established.
Frag attacks begin with VPN appliance compromise (phishing, credential theft, or unpatched vulnerabilities). Attackers pivot from the VPN to the internal network, locate the Veeam Backup & Replication server, and exploit CVE-2024-40711 to execute arbitrary code on the Veeam system without credentials. Once code execution is achieved, attackers create a persistent administrative account (typically named ‘point’), install the Frag ransomware binary, and encrypt all backup files, backup catalogs, and recovery points. Ransom demands follow within 24 hours.
From VPN compromise to backup encryption completion, Frag attacks typically span 4–12 hours. VPN compromise to Veeam discovery may take hours; CVE-2024-40711 exploitation is rapid (minutes); backup encryption spans 2–6 hours depending on backup repository size and network bandwidth.
Frag-encrypted backup files cannot be decrypted without the private RSA-4096 key held by operators. Deletion of the malware stops further encryption but does not recover encrypted backups. Recovery requires either paying the ransom for the decryption key or restoring from a second backup system that was not compromised.
When Frag compromises your Veeam infrastructure, all backup files, catalogs, and recovery points are encrypted and become inaccessible. Your ability to restore VMs, recover deleted files, or recover from other ransomware attacks is completely eliminated. A ransom note appears in backup directories, and operators contact you via a Tor website, demanding payment for decryption. You face a choice: (1) pay a large ransom with no guarantee of key delivery, or (2) restore from another backup system (if available) or pay recovery firms to rebuild systems from scratch.
Prevent Frag attacks by: (1) immediately patching all Veeam Backup & Replication servers to the latest version with CVE-2024-40711 fix; (2) restricting Veeam management console access to internal networks only (never expose to internet); (3) implementing strong authentication and multi-factor authentication on Veeam administrative accounts; (4) securing VPN appliances with strong passwords, MFA, and regular patching; (5) maintaining immutable, air-gapped backups on separate storage infrastructure; (6) implementing network segmentation isolating backup infrastructure from general corporate networks; (7) deploying EDR solutions with behavioral detection for backup encryption and administrative account creation; and (8) conducting regular security audits of backup infrastructure.
– Patch all Veeam Backup & Replication servers immediately (CVE-2024-40711 and all other patches)
– Restrict Veeam management console access to internal networks only; block internet access
– Implement multi-factor authentication on all Veeam administrative accounts
– Enforce strong, unique passwords (minimum 16 characters) for all Veeam accounts
– Implement network segmentation isolating backup infrastructure on a dedicated VLAN
– Deploy immutable backup storage with write-once, read-many (WORM) capabilities
– Implement 3-2-1 backup strategy: 3 copies of data, 2 different storage types, 1 copy off-site
– Test backup restoration monthly from all backup systems to ensure recovery capability
– Enable and monitor Veeam audit logging for administrative actions and backup deletions
– Implement EDR solutions on Veeam servers with behavioral detection for encryption and account creation
– Conduct quarterly vulnerability scanning of backup infrastructure
– Restrict VPN access and force password resets on all VPN accounts
– Implement multi-factor authentication on all VPN endpoints
CVE-2024-40711 is a critical (CVSS 9.8) remote code execution vulnerability in Veeam Backup & Replication caused by unsafe deserialization of untrusted data. The vulnerability allows unauthenticated attackers to execute arbitrary code on the Veeam server by sending a specially crafted network packet, leading to complete compromise of backup infrastructure. Because Veeam is critical to business recovery, compromising Veeam infrastructure eliminates the organization’s primary recovery mechanism, making ransom payment far more likely.
Frag’s focus on Veeam infrastructure is strategically superior to traditional file encryption. By destroying backups, Frag eliminates the primary recovery mechanism organizations depend on, making business continuation impossible without paying the ransom. Additionally, Veeam servers typically contain metadata about the entire IT infrastructure, allowing attackers to map and exfiltrate sensitive data across the organization. This makes Frag attacks far more damaging and raises ransom demands to $500,000–$2,000,000 vs. typical file encryption demands of $50,000–$200,000.