Egregor Ransomware targets businesses worldwide, attempting to extort businesses by publicly releasing Exfiltrated Data.
The US Federal Bureau of Investigation (FBI) first observed Egregor Ransomware in September 2020. The threat actors behind this ransomware variant claim to have compromised more than 150 victims worldwide until now.
What is Egregor Ransomware?
Egregor ransomware is operating as a Ransomware as a Service Model. In this model, various individuals play a part in conducting a single intrusion and ransomware event.
The tactics, techniques, and procedures (TTPs) are used in deployment since the large number of actors involved in deploying Egregor.
Egregor ransomware makes use of multiple methods to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.
To gain access to the network accounts, Egregor ransomware use phishing emails with malicious attachments. It can also exploit Remote Desktop Protocol (RDP) or Virtual Private Networks to gain access.
Once it gains access to the network, the ransomware affiliates use common pen testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and move laterally across a victim’s network.
Affiliates are also using 7zip and Rclone, sometimes hidden as a Service Host Process (svchost), for data exfiltration before deploying the ransomware payloads on the victims’ network.
The ransomware leaves a ransom note on machines instructing the victim to communicate with the threat actors through an online chat. Egregor actors often use the print function on victim machines to print ransom notes.
The threat actors then demand a ransom payment for the return of exfiltrated files and decryption of the network. If the victim refuses to pay, Egregor publishes victim data to a public site.
- Back-up critical data offline.
- Make sure copies of critical data are in the cloud or on an external hard drive or storage device.
- Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
- Install and regularly update anti-virus or anti-malware software on all hosts.
- Use only secure networks and avoid using public Wi-Fi networks.
- Use two-factor authentication and do not click on unsolicited attachments or links in emails.
- Prioritize patching of public-facing remote access products and applications, including
- recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108).
- Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools.
- Securely configure RDP by restricting access, using multi-factor authentication or strong passwords.
Victims are advised not to pay the ransoms because this doesn’t assure successful restoration of the files and it also funds for illicit activities and encourages the attackers to continue their attacks. The agency urges victims to report any ransomware incidents they are involved in, to track the threat actors and holding them accountable under US law.