Egregor Ransomware: Origins, Operating Mode, Recent Incidents

[harlan4096]

 
From Maze to Egregor Ransomware. Learn How to Protect Your Company from This New Threat!

A new year brings about countless new opportunities, but also, unfortunately, the chance for previous menaces to grow and evolve. Such is the case with Egregor ransomware. Since anticipation and prevention are more than welcome, let’s find out more about it and what you can do to combat it in order to keep your business safe. 

Egregor Ransomware – Origins

Egregor ransomware is linked to the now-retired Maze ransomware and to the Sekhmet ransomware family. 

As you probably heard, Maze ransomware was particularly dangerous because it not only used to steal data and encrypt it like any other ransomware, but its operators also threatened to expose this data if they didn’t receive the ransom, which transformed the attack in a data breach as well. 

The website on which the Maze ransomware operators published the information about their victims included details about the date when they were targeted, links for downloading the stolen data and even social media buttons for the users to spread the word. 

As Bleeping Computer writes, Maze affiliates moved to Egregor ransomware: 
 

BleepingComputer has learned that many Maze affiliates have switched over to a new ransomware operation called Egregor. Egregor began operating in the middle of September, just as Maze started shutting down their encryption operation. […] Egregor is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code. This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software. Ransomware expert Michael Gillespie, who analyzed both Egregor and Sekhmet, also found that Egregor victims who paid a ransom were sent decryptors that were titled ‘Sekhmet Decryptor.’

The first mention of Egregor Ransomware on a forum happened on the 18th of September 2020. As Security Boulevard notes, “The name of the new ransomware strain, Egregor, is derived from Western Occult traditions and is seen as the collective energy of a group of people, especially when aligned to a common goal. The name is appropriate on some level, as ransomware gangs tend to be aligned for the purpose of extorting funds from victims.” 

ZDNet writes “Egregor has also been associated with the Ransomware-as-a-Service (RaaS) model, in which customers can subscribe for access to the malware.”  (Ransomware-as-a-Service is a model that allows any novice cybercriminal to launch ransomware attacks by becoming an affiliate of a RaaS package or service.)

However, researchers don’t know much about it yet, since the ransomware protects itself with various anti-analysis techniques, like payload encryption and code obfuscation, but one thing is clear: Egregor ransomware operators, just like in the case of Maze ransomware, threaten to release the stolen data if the ransom is not paid (within the mythical three days). 

Egregor Ransomware – Operating Mode

Egregor Ransomware seems to target, demographically speaking, the same victims as Sekhmet and Maze. 

The attack consists of breaching sensitive data, encrypting it so that the victims may not access them, and then publishing a part of that data on the dark web, as proof of the attack. The victims then receive a note in which they are told to pay the ransom in 3 days to avoid their data being published on the criminals’ network. If the criminals receive their money in the appointed time, the victims’ data gets fully decrypted. Egregor ransomware infection happens via a loader, then, in the victim’s firewall, it enables the Remote Desktop Protocol. After this part, the malware is free to move inside the victim’s network, identifying and disabling all the antivirus software it can find. The next step is the encryption of the data and the insertion of a ransom note named “RECOVER-FILES.txt” in all the compromised folders. 

Afterwards, the victims are told to download a dark web browser to communicate with the cybercriminals with the help of a dedicated landing page. 
...

Continue Reading