A new ransomware family, going by the name Egregor, looks to be a major threat to watch going into the home stretch of 2020 and beyond. Egregor is following the recent trend of “double extortion” that is almost becoming cliché amongst ransomware groups these days.
If you’re not already familiar, double extortion is where victim files are stolen in addition to being encrypted, and if the victim doesn’t pay the ransom within a period of time, the threat actors will release the stolen data through their dark web site. This technique of threatening to release data is applying additional pressure on affected organizations and forcing many to pay the ransom who otherwise wouldn’t due to their solid data-recovery policy.
It’s even being reported that the operators behind Egregor are providing “security recommendations” to victims after receiving payment. Don’t mistake this “assistance” as a sign this group has a conscious.
The definition of the word Egregor roughly translates to a non-tangible force summoned by the thoughts of a group of people and is related to the occult. According to the researchers with Appgate, the source code of Egregor seems to be related to the Sekhmet ransomware variant.
The research team with Appgate noted that the level of sophistication of Egregor is similar to the other major ransomware families, but something that makes Egregor unique is the level of anti-analysis techniques baked into the code. In order for security researchers to analyze the payload, they’ll need the unique decryption key to unlock it. This makes it difficult to analyze the payload through a sandbox or other manual analysis techniques. The many layers of code obfuscation and encrypted payload can place a high burden on basic security tools and makes it more likely that Egregor’s execution will go undetected by traditional security tools.
The exploited attack vector utilized by Egregor is unknown currently. In SpearTip’s experience, ransomware is typically delivered through publicly facing RDP services and through malicious email attachments. The only known victims at this point are corporations located in the U.S., Japan, France, Germany, Italy, Mexico, and Saudi Arabia.
SpearTip was able to track down Egregor’s dark web onion site, and the operators currently have 24 victims listed within their “Hall of Shame.” Many of the organizations listed on the dark web site have already had a percentage of their data published for the world to see.
SpearTip’s ShadowSpear® Platform is well suited to detect and prevent the evasion techniques and process injection techniques used by Egregor and other forms of advanced ransomware. SpearTip recommends that all enterprise organizations have a reliable EDR agent like ShadowSpear® installed on all company owned workstations and servers. Having a SIEM tool that collects logs from critical systems and a strong vulnerability management policy is also recommended to improve an organization’s defensive posture.
SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but they’re also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.