INTRODUCING EGREGOR RANSOMWARE GROUP
First observed on September 25th, 2020, the Egregor ransomware variant has been making considerable strides in Maze’s wake, another ransomware threat actor that ceased operations in October of 2020.
Some security researchers have drawn many parallels between the two groups— including overlap in malware signatures, the victimology (with the majority of victims belonging to the Industrial Goods & Services Sector), and the practice of leaking company’s sensitive data on a dark web based “News” website.
While there is no way of verifying these claims, we can determine from an analysis of their activity and ransomware that Egregor has become the leading variant, with much potential to become a more significant threat to your organization in the coming months.
WHO IS THE EGREGOR RANSOMWARE GROUP? A BUSY QUARTER:
Egregor has had a very dynamic Q4. As of November 17th, 2020, the Egregor ransomware group has named 71 victims spanning across 19 different industry verticals. The level of sophistication of their attacks, adaptability to infect such a broad range of victims, and significant increase in their activity suggests that Egregor ransomware operators have been developing their malware for some time and are just now putting it to (malicious) use.
In terms of motives, Egregor’s double-extortion ransomware model proves them to be financially-motivated. Following this model, Egreggor completes a breach and then begins to release data easily traceable to the victim as proof while demanding a hefty ransom sum to be paid in exchange for not releasing more. While their ransomware model is consistent, Egregor’s victims may vary. Overall trends we found were that victims clustered in the Industrial Goods & Services sector (38%), and a vast majority were US-based companies (83%).
Egregor victims have increased 240% from September 25th (15 incidents) to October 31st (51 incidents) and 43% as of November 17th, bringing total incidents to 71.
Egregor first caught the cybersecurity world’s attention in October with their attack on Barnes & Noble and video game producers Ubisoft and Crytek. From Barnes & Noble, Egregor operants release two Windows Registry hives— contending they contained highly sensitive financial data about the bookseller within.
In the attack against the video game industry giant, Ubisoft, Egregor claimed to have stolen source code for a not yet released Ubisoft game “Watchdogs: Legion.” While there was no confirmation from Ubisoft employees on the matter, the gang released 200MB of data about in-game assets. It is possible this information could’ve been obtained from some other source online. Still, given the company’s history with threat actor successes from email phishing— gaining access to data through emails sent to employees with malicious attachments or links to trigger the malware on the target system— it is highly likely that this was a targeted success.
Another massive gaming company, Crytek, confirmedthey had lost almost 400MB of data relating to their first-person shooter game, “Warface,” and the now-closed multiplayer online battle game, “Arena of Fate.” Given the demonstrated level of increased activity and apparent technical sophistication, this is realistically possible. Egregor attacks will likely continue over the short-term future.
HOW DOES EGREGOR RANSOMWARE GROUP ACT?
Since the Egregor ransomware group has only been active as of September 25th, there is limited information about their common tactics, techniques, and procedures (TTP’s).
So far, our researchers have found that the Egregor malware maintains multiple anti-analysis techniques such as code obfuscation and packed payloads, making it challenging to analyze the malware. More specifically, Windows application programming interfaces (APIs) are leveraged to encrypt the payload data. Unless security teams can present the correct command-line argument, then the data cannot be decrypted, and the malware cannot be analyzed.
When the correct command-line argument is presented, the malware executes by injecting into iexplore.exe process, encrypting all text files and documents, and enclosing a ransom note (pictured below) within each folder that has an encrypted file. This process includes files on remote machines and servers through checks on Logmein event logs.
Regarding data leakage, the ransom note instructs Egregor ransomware victims to download the dark web browser TOR and contact their developers within three days. If the victim does not follow instructions and pay up, their company data will be published to the “Egregor News” data leak site (DLS) for public consumption.
Operators of other pieces of malware, such as the Quakbot (also known as Qbot), have taken notes from Egregor’s progress and evolved. Their banking trojan is suspected to have recently abandoned Prolock in favor of Egregor ransomware in its deployments.
HOW CAN I PROTECT MY ORGANIZATION AGAINST EGREGOR RANSOMWARE?
Given their sophisticated technical capabilities to hinder analysis of malware and target a large variety of organizations across the ransomware landscape, we can only conclude that the Egregor ransomware group will likely continue in the future, posing more and more of a risk to your organization.
Knowing this can leave you or your organization feeling helpless, but more importantly, these attacks are by and large preventable. We’ve collected a list of their MITRE ATT&CK techniques and IOC’s and shared them at the end of this blog.
HOW CAN I STAY UP TO DATE ON THE RANSOMWARE LANDSCAPE?
Tracking ransomware groups’ tactics and trends can be daunting, and it’s easy to get buried in all the information out there. Look here to read our research on ransomware.
Looking to keep updated on threat actor activity as well as gain actionable insights from ransomware trends? SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) presents threat intelligence and assesses the risk certain actors pose to your industry, company, and assets. Look here for a trial of our product SearchLight.
If you’re a Digital Shadows (now ReliaQuest) client, you’ll be able to subscribe to the Egregor tag, or use this search term to set up alerts on new instances of Egregor victims:
MITRE ATT&CK techniques:
- Valid Accounts (T1078)
- PowerShell (T1086)
- System Services: Service Execution (T1569)
- Account Manipulation (T1098)
- Brute Force (T1110)
- Account Discovery (T1087)
- Abuse Elevation Control Mechanism: Bypass User Access Control (T1548)
- File Permissions Modification (T1222)o Data Encrypted for Impact (T1486)
- Inhibit System Recovery (T1490)
- System Information Discovery (T1082)
- Process Discovery (T1057)
- Screen Capture (T1113)
- Compile After Delivery (T1500)
- Service Execution (T1035)
- Account Manipulation (T1098)
- Credentials in Registry (T1214)
- Phishing (T1566)
- Create or Modify System Process (T1543)
- Impair Defenses (T1562)o Data Obfuscation (T1001)
91[.]199[.]212[.]52 49[.]12[.]104[.]241 Crt[.]sectigo[.]com hxxp://49[.]12[.]104[.]241:81/78.bin hxxp://49[.]12[.]104[.]241/sm.dll hxxp://49[.]12[.]104[.]241:81/sm.dll 03cdec4a0a63a016d0767650cdaf1d4d24669795 069ef8443df750e9f72ebe4ed93c3e472a2396e2 072ab57f9db16d9fb92009c8e10b176bd4a2eff01c3bc6e190020cf5a0055505 07d4bcb5b969a01fb21dc28e5cb1b7ceb05f2912 16a9c2917577e732cd6630b08e248443 1a722cde21a4338b26bc37401ef963022d97cea141c985e6615a10287f8d02ff 1cce0c0d67fe7f51f335a12138698403 28f3f5a3ea270d9b896fe38b9df79a6ca430f5edab0423b3d834cf8d586f13e6 2d01c32d51e4bbb986255e402da4624a61b8ae960532fbb7bb0d3b0080cb9946 386cf4e151bc7510c3333eb1a5c96ab1b7becd8cfb94bcb76e93458078daf66f 3dba9fbef8f8a42ecfa65022b8a3c54738d15ef67c666272078b58b3c9a0a414 410afc5daebd7b39410b046286b814bb5fb5f9139167cd310bc59cc4461d4083 43445fbe21cf3512724646a284d3e5d7 49b3d9c3bd6b6a13f89f0e849d80531454cc5cd259cbb7c8a806c67cd403575e 4c36c3533a283e1aa199f80e20d264b9 5455d104e693445dce5567236f4e047617bae7f09d5ca8699a838c2d17d37fb3 561092877e91f2741ed061cbe7a57d1af552b600c6654ccc588cb6bff7939152 5f9fcbdf7ad86583eb2bbcaa5741d88a 605c2047be7c4a17823ad1fa5c1f94fd105721fce3621dc9148cd3baf352938e 627c2219a80245a25e4fe9843ac2a021 65c320bc5258d8fa86aa9ffd876291d3 7222c8acc69a7598989c335d528b366f801a41b434cbf928c6aef01f8e54f57a 7bc6c2d714e88659b26b6b8ed6681b1f91eef6af 7caed5f406445c788543f55af6d98a8bc4f0c104e6a51e2564dd37b6a485cc18 7dd1a1a0eefc5a653a30010f475cc37c 9fffabede0ef679970666f04184340437cd70bc8fe870ee8174713ececf32398 a654b3a37c27810db180822b72ad6d3e ac634854448eb8fcd3abf49c8f37cd21f4282dde b027467332243c8186e59f68ff7c43c9e212d9e5074fedf003febcfedad4381a b554791b5b161c34b0a7d26e34a88e60 b81d2293b43decd5a401487da952deb32cbb53f118882b97b457a14c67029247 b9dcee839437a917dde60eff9b6014b1 bd8c52bb1f5c034f11f3048e2ed89b7b8ff39261 c1c4e677b36a2ee6ae858546e727e73cc38c95c9024c724f939178b3c03de906 c9d46c319ed01c183598f7b9a60b9bca34b2eea989f4659e9aa27c7a1bf8681c d2d9484276a208641517a2273d96f34de1394b8e d6fa64f36eab990669f0b81f84b9a78a e0caae0804957c5e31c53dd320ca83a5465169c9 e27725074f7bc55014885921b7ec8b5319b1ef8f e3ef50749f144bfd7f5d7d51aaa9e2332b706c4d8ac130fdc95f50662525f6e0 ed5b60a640a19afe8d1281bf691f40bac34eba8a f0215aac7be36a5fedeea51d34d8f8da2e98bf1b f1ba626b8181bd1cd84f47f70838d9fa4d8117fac3bd07cbd73cb6f73b1297f8 f73e31d11f462f522a883c8f8f06d44f8d3e2f01