Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

Day 4: Egregor Ransomware

Common Attack Vectors

  • Remote Desktop Protocol access (RDP)
  • email Phishing attacks
  • Software/Hardware Vulnerability

Vulnerabilities Exploited

  • Microsoft Exchange
  • VBScript Engine
  • Adobe Flash Player

Industries Targeted Frequently

Manufacturing

Threat actors target manufacturing facilities to disrupt product distribution.

Enterprises

Threat actors target enterprises stealing sensitive data, encrypting network files and demanding ransoms.

Recent Activity

Crytek, the game developer and publisher, had their network breached by Egregor ransomware encrypting systems and stealing files containing customers’ personal information and leaking the data on their dark web leak site.

Common File Extensions

.Egregor

Known Alias

  • Twisted Spider
  • Maze

How Egregor Ransomware is Distributed

Egregor ransomware primary distribution tactic is Cobalt Strike in which the target environments are compromised using Remote Desktop Protocol (RDP) and phishing attacks. The Egregor payloads are delivered and launched after the Cobalt Strike beacon payload is established and persistent.

Egregor ransomware is installed into the victim’s network through a loader which will undergo extensive code obfuscation to mitigate static analyzed and possible decryption. The Egregor ransomware will manipulate the victim’s firewall setting to enable Remote Desktop Protocol (RDP) and will move throughout the network to identify and disable all anti-virus software. After disarming the software, the ransomware will encrypt all the breached data and insert a ransom note into all compromised folders.

The ransomware loads an encrypted DDL into memory and executes the encryption method spreading throughout the network. Threat actors use the ransomware to gain access to unprotected RDP ports, use phishing emails to remote access the network through an employee’s computer, or access the network using malicious attachments, downloads, application patch exploits or vulnerabilities.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.