zephyr_p – stock.adobe.com
Since it was first observed in September 2020, the newly emergent Egregor ransomware has indiscriminately targeted organisations on a global scale and defenders should be alert to this particularly dangerous new strain, according to Recorded Future’s Insikt Group, which has just released detailed research into Egregor.
Part of the Sekhmet ransomware family, Egregor is connected to, and likely used by, the operators of the QakBot or Qbot banking trojan, and is notable for its complexity, employing advanced obfuscation and anti-analysis techniques.
Recorded Future said it had found multiple victims, the most notable to date being US bookstore chain Barnes and Noble, named on the group’s “Egregor News” website, which it used to post the names, domains and, critically, the exfiltrated data of its victims – Egregor being one of a number of groups that have adopted the double extortion technique.
“According to the information available on Egregor News, they claimed 133 victims and are responsible for 13% of all currently known ransomware extortion cases, which is a large number for just two months of operations,” said the researchers.
Data compiled by Recorded Future suggests that Egregor is now the second most widespread ransomware strain circulating, well behind Maze, which accounts for about 26% of victims this year, but ahead of other high-profile ransomwares such as REvil/Sodinokibi, DoppelPaymer, Clop and Ragnar Locker.
“We believe that ransomware operators and their affiliates are opportunistic by nature and do not focus on specific industries or geographic regions, but rather select and pursue corporations based on accessibility, opportunity and company revenue,” said the researchers. “These threat actors will very likely continue to consistently target larger organisations.
“This assessment is predicated on the understanding that the wide attack surface inherent to large corporations gives threat actors more chances to gain access. Furthermore, these businesses maintain an abundance of resources, and generally have strong cyber insurance policies, making it more likely that they will pay a large ransom demand.”
Of particular note is the connection to the QakBot trojan, the operators of which seem to have abandoned their use of the ProLock ransomware and taken up Egregor with enthusiasm. This connection, also highlighted by Group IB, can be assessed as a reasonably accurate one due to its similar techniques, such as the use of malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets to deliver QakBot.
It is also possible to tie Egregor to Maze because of similar initial access techniques, including abuse of remote desktop protocols (RDP), and disclosed common vulnerabilities and exposures (CVEs) in Flash Player and Pulse VPN, although these are not guarantees of a connection.
The ransomware itself comes in three main stages – a top-level packer that decrypts the next stage, a subsequent stage that uses a cryptographic key passed in at runtime to decrypt the final payload, and finally, Egregor itself. Recorded Future noted that without the correct key passed to the ransomware when it is run, the payload cannot be decrypted or analysed.
As with many ransomwares, Egregor does not execute if it finds its target system’s default language ID to be Armenian, Azeri, Belarussian, Georgian, Kazakh, Kyrgz, Romanian, Tatar, Turkmen, Ukrainian, Uzbek and, it almost goes without saying, Russian.
Recorded Future said that although there was still much to learn about Egregor, there are a number of steps security defenders can take now.
These should include monitoring for use of commodity tools such as Cobalt Strike, or QakBot, as a delivery mechanism. Internet-facing systems should be appropriately configured and patched to mitigate the threat of CVE exploitation, and internal users should follow standard guidance with regard to the risk of phishing attacks, the use of fake download sites, and the targeting of unpatched, public-facing systems or the exploitation of misconfigurations in such systems.
“The team behind Egregor has targeted several high-profile organisations to date and is very likely to continue doing so,” said the researchers. “The group behind Egregor will likely remain active and continue to employ techniques associated with sophisticated threat actors and big-game hunting.”
More data and information on how Egregor works, including ransom note samples, can be found here.
In this e-guide, we will explore the links between ransomware attacks, data breaches and identity theft. First, Nicholas Fearn investigates the phenomenon of the double extortion attack, and shares some insider advice on how to stop them, while we’ll explore the top five ways data backups can protect against ransomware in the first place.
The business response to COVID-19 has accelerated technology adoption, making emerging technologies a more accessible and …
The Open Group is teaming up with a United Nations agency on best practices, guides and standards to show resource-strapped …
Companies need to work on ensuring their developers are satisfied with their jobs and how they’re treated, otherwise it’ll be …
Staffing shortages, budget allocation issues, and inadequate analytics and filtering are among the challenges organizations will …
In the first of a two-part series, Jonathan Meyers examines the issues surrounding the security skills gap that companies must …
Find out how the Secure Access Service Edge model provides increased work-from-home security and cloud access outside of the …
Network teams can avoid signal coverage issues by performing different wireless site surveys as they evaluate new spaces, set up …
SD-WAN, SASE or some combination of the two — which approach will deliver the best and most secure network connectivity in your …
Celona 5G technology uses Citizens Broadband Radio Service spectrum to bring private mobile networking to the enterprise, …
Colocation is not a silver-bullet solution for everyone. Discover the benefits and drawbacks that come with allowing a …
Finding the right server operating temperature can be tricky. ASHRAE standards provide guidance for all server classes and what …
These unexpected charges and fees can balloon colocation costs for enterprise IT organizations.
The enterprise edition of the MySQL database is being enhanced on Oracle Cloud Infrastructure to enable users to run analytics …
The U.S. government has made data sets from many federal agencies available for public access to use and analyze. Check out some …
Check out this excerpt from the new book Learn MongoDB 4.x from Packt Publishing, then quiz yourself on new updates and …
All Rights Reserved, Copyright 2000 – 2020, TechTarget
Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info
