The US Federal Bureau of Investigation (FBI) has sent a security alert about Egregor Ransomware group. The malicious attack is currently targeting businesses around the world.
An old but highly effective group of malicious code writers is back once again, indicated the FBI’s warning. The Egregor Ransomware operation is back in full swing and is actively targeting businesses to hold their data for ransom.
Egregor Ransomware group employs multiple techniques making detection and mitigation very difficult, says FBI:
Ransomware creators have been rather straightforward. The majority of groups have created a toolkit that attempts to penetrate defenses, encrypt data, and then ask for money to unlock the same.
However, the Egregor Ransomware group is quite sophisticated and advanced. Instead of a standard attack vector or process, the group uses “multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices,” indicated FBI.
What this essentially means is that the Egregor Ransomware group is dynamic and resourceful. The group attempts multiple attack vectors. They can alter their penetration or hacking strategy depending on the targets.
— Laurent F4BWT (@LaurentF4BWT) January 8, 2021
It is quite obvious that the group is working to capture and hold data ransom with strong encryption. Hence it is going after businesses that are usually much better equipped and safeguarded against such threats.
Security researchers attempting to follow the digital trail or footprint of the Egregor Ransomware group indicate the attack appears to be a follow up of Maze. Prior to Egregor, it was the Maze attack group that the FBI tracked.
The Maze group was infamous for going after the rather poorly defended but highly critical healthcare sector. Moreover, the group was first to popularize the double extortion technique.
How does the Egregor Ransomware group operate?
Security researchers claim the Egregor Ransomware group is merely following in the footsteps of the Maze attack group. A typical and successful attack involves data exfiltration and using the threat of its release as further leverage to extort a payment from victims.
Attempting to explain the attack techniques, FBI officials wrote, “Once a victim company’s network is compromised, Egregor actors exfiltrate data and encrypt files on the network. The ransomware leaves a ransom note on machines instructing the victim to communicate with the threat actors via an online chat.”
“Egregor actors often utilize the print function on victim machines to print ransom notes. If the victim refuses to pay, Egregor publishes victim data to a public site.”
FBI sends alert to warn companies about the Egregor ransomware https://t.co/MfT0vYaF4T
— Threat Intelligence (@threatintel) January 8, 2021
It is concerning to note that there are, quite possibly, a large number of malicious code writers behind the Egregor Ransomware. Hence, the Tactics, Techniques, and Procedures (TTPs) used in its deployment can vary significantly, depending upon the target. This creates multiple challenges for defense and mitigation, observed the FBI.
#RT @NakedSecurity: FBI “private industry notification” warns of Egregor ransomware extortion – the double-barrelled sort of blackmail where the crooks steal your data first and only then encrypt it. #ICYMI, the @SophosLabs analysis of Egregor is here:… pic.twitter.com/UNJLEhC09L
— Ash (@Ash_Dax) January 8, 2021
Besides typical social engineering and phishing attacks, the Egregor Ransomware group utilizes emails with malicious attachments and insecure Remote Desktop Protocol (RDP) or Virtual Private Networks (VPN) to gain illegal but seemingly authorized entry within an otherwise secure network.
Once inside a compromised network, the group uses tools such as Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind. These are legitimate “Penetration Testing” tools. But, the group uses them to drill into the network, get to the payload, steal or exfiltrate the data, and hold it ransom.
Egregor Ransomware group operates Ransomware-as-a-Service model:
The FBI strongly believes the Egregor Ransomware group is offering its tools and know-how to run Ransomware-as-a-Service business. The RaaS allows multiple threat actors to collaborate through a single intrusion and ransomware event.
Essentially, the ransomware creators are actively collaborating with other Advanced Persistent Threat groups (APT) or hackers to launch widescale attacks on businesses. The impact and the possible bounty of such large-scale attacks are potentially quite lucrative.
This ransomware gang, dubbed Egregor, in recent months appears to have hacked more than 130 targets, including schools, manufacturing firms, logistics companies and financial institutions, according to the U.K.-based security firm Sophos. https://t.co/xWu4nBriax #Cybersecurity
— SecNews (@cybersecmnl) January 8, 2021
Security researchers also claim affiliates to the Egregor Ransomware group routinely hack networks to deploy ransomware payloads. Helping launch a successful attack earns the affiliates a 30 percent commission. The main group keeps the remaining 70 percent.
According to Bleeping Computer, Egregor affiliates have breached and encrypted the systems of multiple high-profile organizations such as Ubisoft, Kmart, Randstad, Barnes, and Noble, etc. In all, the FBI is reportedly aware of 150 such victims. But the actual list could be higher and climb further.