Last September, new ransomware surfaced as the Maze ransomware gang began shutting down its operations. Named egregor , the ransomware leverages data stolen during an attack to extort the victim for payment.
Egregor's ransom note tells its victims: “ Soon the mass media, your partners and customers WILL KNOW your PROBLEM…If you don't contact us within the next 3 DAYS, we will start publishing DATA ”.
Like Maze , Egregor uses ChaCha and RSA encryption algorithms to encrypt victim files. Much like Maze, Egregor is believed to be a ransomware-as-a-service operation, dependent on affiliates receiving payment for dropping the malware onto victims' networks.
But Egregor's code is not a derivative of the malware used by Maze, rather it is a variant of a ransomware family known as Sekhmet. Sekhmet operators began releasing victim data in March 2020, but their " Sekhmet Leaks " website is no longer accessible, and only six victims were publicly exposed before the site was shut down - coinciding with the launch of the Egregor website. It is unknown if the creators of Egregor and Sekhmet are the same, but the Egregor ransomware is clearly derived from the Sekhmet malware.
Egregor was first detected in September in an attack on a victim. As of November 25, Sekhmet Leaks had published details of more than 130 victims on its Tor hidden services (.onion) website. The alleged victims of these attacks are diverse, both in terms of location and type of organization – they include schools, manufacturers, logistics organizations, financial institutions and technology companies. The Egregor gang specifically called out two game companies - Crytek and Ubisoft - in a "press release" in October.
Common tactics, common measures
The use of specially crafted spam emails with malicious attachments, malware and exploit tools, as well as data exfiltration for extortion purposes have become common tactics as ransomware developers. These threats require defense-in-depth to prevent data theft and encryption, including training employees on tactics that could trick them into running the malware that gives ransomware attackers a foothold on the network.
Since the group behind Egregor claims to sell stolen data if ransoms are not paid, having good backups of organizational data is not enough to mitigate ransomware. Organizations should assume their data has been breached if they experience an Egregor attack (or any other ransomware). Blocking common exfiltration routes for data (e.g. preventing Tor connections) can make data theft more difficult, but the best defense is to deny access to attackers through coin malware attachments to e-mails and other common entry points.
Organization-wide malware protection can help prevent basic malware attacks like Qbot, and lateral spread through tools like Cobalt Strike.
To reduce the risk of attack by ransomware, and in particular by Egregor:
- back up data regularly, physically move the backup from your network and place it in
- safe place while ensuring that it works;
- be able to detect and block the use of Cobalt Strike on the network;
- be particularly vigilant on RDP connections as well as on the use of BITS, wmic and PowerShell
- on the network;
- keep software and systems up to date. Particular attention should be paid to VPN solutions and
- their updates to allow remote access for your employees;
- If possible, disable macros in office solutions that perform tasks automatically. This rule will prevent the spread of ransomware through application vulnerabilities;
- encrypt sensitive documents on your network to prevent possible disclosure of these documents;
- use and keep anti-virus software up to date;
- partition the information system;
- limit user rights and app permissions;
- if possible, do not expose remote desktop services (like RDP) over public networks and use
- complex passwords on these services;
- control Internet access;
- implement log monitoring;
- educate employees;
- implement a cyberattack response plan;
- thinking about your cyber crisis communication strategy
The editorial staff of Africa Cybersecurity Mag
