Ransomware scumbags - potentially those behind the Fog gang - are channeling their inner Elon Musk with their latest ransom note, spotted by researchers at Trend Micro.

Victims not only have to cough up cash to feed the crime machine, but according to researchers, they're being trolled with the DOGE chief's infamous five-bullet-point demand to know what federal workers achieved that week.

"Give me five bullet points on what you accomplished for work last week or you owe me a trillion dollars," a new line to Fog's updated ransom note reads.

[1]

It refers to one of Musk's earliest policies after he was installed as the head of the US Department of Government Efficiency (DOGE), one that has been consistently applied across all of his companies.

[2]

[3]

A memo was dispatched to workers demanding they outline five accomplishments from their past workweek in a bid to meet President Trump's request that federal staff be treated more aggressively.

Following immediate pushback, other department heads made the controversial demand optional.

[4]

According to the [5]Washington Post , insiders expressed privacy concerns about the emails but were also worried they would lose their jobs if they didn't respond.

As for why Fog decided to reference it in its new ransom note, Trend's researchers believe it's a sign of the criminals poking fun at victims and their sitting government.

Other iterations of the note, which list several DOGE staffers, could also be seen as a reference to recent reports linking Edward Coristine – whose current role at DOGE is unknown – to the provision of tech support to a cybercrime gang.

[6]

Reuters [7]reported last month that Coristine, whose online handle is "bigballs," previously ran a company called DiamondCDN before joining DOGE, which was linked to the alleged provision of DDoS protection services to dataleak.fun – a site run by the now dormant EGodly group.

[8]Guess what happens when ransomware fiends find 'insurance' 'policy' in your files

[9]Now 1.6M people had SSNs, life chapter and verse stolen from insurance IT biz

[10]Ransomware crims hammering UK more than ever as British techies complain the board just doesn't get it

[11]US sensor giant Sensata admits ransomware derailed ops

Trend's researchers said it could have been Fog itself or another group using Fog's binaries, but in any case, they've [12]dropped some useful intel and indicators of compromise on how to stop the ransomware.

Fog hasn't been on the scene for too long – around a year – and not much is known about its makeup or origin, only that it targets Windows and Linux systems across various industries.

Meanwhile, Musk's political career is also up in the air as speculation mounts about his role in the US government. The Washington Post reported this week that Musk may exit as soon as May, with the move believed to be driven by the billionaire's growing frustration with political attacks from the left.

The plan is to still keep DOGE running and it is seen internally as an organization that shows how swiftly government departments can be radically overhauled, where necessary.

But it isn't the success story many had hoped for – not yet, anyway. DOGE [13]has fallen well short of the cuts it originally promised . ®

Get our [14]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAgRjR3ezlDjyunEIgjnsQAAAAM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAgRjR3ezlDjyunEIgjnsQAAAAM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAgRjR3ezlDjyunEIgjnsQAAAAM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAgRjR3ezlDjyunEIgjnsQAAAAM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://www.washingtonpost.com/politics/2025/04/21/doge-musk-trump-federal-employees-emails/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAgRjR3ezlDjyunEIgjnsQAAAAM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.reuters.com/world/us/doge-staffer-big-balls-provided-tech-support-cybercrime-ring-records-show-2025-03-26/

[8] https://www.theregister.com/2025/04/16/dutch_ransomware_study/

[9] https://www.theregister.com/2025/04/15/landmark_admin_data_loss/

[10] https://www.theregister.com/2025/04/11/uk_cyberattacks/

[11] https://www.theregister.com/2025/04/10/us_sensor_giant_sensata_ransomware/

[12] https://www.trendmicro.com/en_us/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html

[13] https://www.theregister.com/2025/04/20/musks_doge_promises_fail/

[14] https://whitepapers.theregister.com/