Since it was first observed in September 2020, the newly emergent Egregor ransomware has indiscriminately targeted organisations on a global scale and defenders should be alert to this particularly dangerous new strain, according to Recorded Future’s Insikt Group, which has just released detailed research into Egregor.
Part of the Sekhmet ransomware family, Egregor is connected to, and likely used by, the operators of the QakBot or Qbot banking trojan, and is notable for its complexity, employing advanced obfuscation and anti-analysis techniques.
Recorded Future said it had found multiple victims, the most notable to date being US bookstore chain Barnes and Noble, named on the group’s “Egregor News” website, which it used to post the names, domains and, critically, the exfiltrated data of its victims – Egregor being one of a number of groups that have adopted the double extortion technique.
“According to the information available on Egregor News, they claimed 133 victims and are responsible for 13% of all currently known ransomware extortion cases, which is a large number for just two months of operations,” said the researchers.
Data compiled by Recorded Future suggests that Egregor is now the second most widespread ransomware strain circulating, well behind Maze, which accounts for about 26% of victims this year, but ahead of other high-profile ransomwares such as REvil/Sodinokibi, DoppelPaymer, Clop and Ragnar Locker.
“We believe that ransomware operators and their affiliates are opportunistic by nature and do not focus on specific industries or geographic regions, but rather select and pursue corporations based on accessibility, opportunity and company revenue,” said the researchers. “These threat actors will very likely continue to consistently target larger organisations.
“This assessment is predicated on the understanding that the wide attack surface inherent to large corporations gives threat actors more chances to gain access. Furthermore, these businesses maintain an abundance of resources, and generally have strong cyber insurance policies, making it more likely that they will pay a large ransom demand.”
Of particular note is the connection to the QakBot trojan, the operators of which seem to have abandoned their use of the ProLock ransomware and taken up Egregor with enthusiasm. This connection, also highlighted by Group IB, can be assessed as a reasonably accurate one due to its similar techniques, such as the use of malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets to deliver QakBot.
It is also possible to tie Egregor to Maze because of similar initial access techniques, including abuse of remote desktop protocols (RDP), and disclosed common vulnerabilities and exposures (CVEs) in Flash Player and Pulse VPN, although these are not guarantees of a connection.
The ransomware itself comes in three main stages – a top-level packer that decrypts the next stage, a subsequent stage that uses a cryptographic key passed in at runtime to decrypt the final payload, and finally, Egregor itself. Recorded Future noted that without the correct key passed to the ransomware when it is run, the payload cannot be decrypted or analysed.
As with many ransomwares, Egregor does not execute if it finds its target system’s default language ID to be Armenian, Azeri, Belarussian, Georgian, Kazakh, Kyrgz, Romanian, Tatar, Turkmen, Ukrainian, Uzbek and, it almost goes without saying, Russian.
Recorded Future said that although there was still much to learn about Egregor, there are a number of steps security defenders can take now.
These should include monitoring for use of commodity tools such as Cobalt Strike, or QakBot, as a delivery mechanism. Internet-facing systems should be appropriately configured and patched to mitigate the threat of CVE exploitation, and internal users should follow standard guidance with regard to the risk of phishing attacks, the use of fake download sites, and the targeting of unpatched, public-facing systems or the exploitation of misconfigurations in such systems.
“The team behind Egregor has targeted several high-profile organisations to date and is very likely to continue doing so,” said the researchers. “The group behind Egregor will likely remain active and continue to employ techniques associated with sophisticated threat actors and big-game hunting.”
More data and information on how Egregor works, including ransom note samples, can be found here.