SpearTip brought Egregor ransomware group to your attention earlier this month. As the fourth quarter takes off, Egregor is ramping up. First seen on Twitter on September 18, Egregor is performing what is known as “double extortion.” This type of act is now very common among threat actors.

Double extortion happens when victim files are stolen in addition to being encrypted. And, if the victim doesn’t pay the ransom within a specific time period, threat actors will release the stolen data through their dark web site. This threat to release data applies more pressure on affected organizations and forces most to pay the ransom who maybe wouldn’t due to their data-recovery policy.

Not every day do you see a ransomware group freely give cybersecurity advice. Egregor communicates with their victim about the written security report they have for them to correct their mistakes. Egregor has the opportunity in this report to display and reveal their victim’s vulnerabilities. This is a unique Egregor method of approaching security and is another way to identify this group. Giving cybersecurity recommendations is a new addition to the ransomware attack curriculum. SpearTip sees this action as not only a way to identify the threat group, but also a continued change in what threat actors are leveraging when attacking companies.

Egregor communicates with their victim to mention how they need to analyze their data in order to present a ransom demand. But in the meantime, Egregor has already downloaded their data. That way, if the ransom is not paid, Egregor can easily upload their information to be published on their dark web site. Once the payment is received, remember nothing is guaranteed, they claim a decryption key is provided to unlock the files. In return, Egregor will send their victim proof of their data removed from the dark web site. And, this is the catch, Egregor claims to send a report outlining how your organization can align its security posture better.

This is not the norm, and SpearTip has its eye on this type of behavior. It is not known yet why Egregor is willing to hand out cybersecurity advice to its victims. SpearTip has already identified Egregor’s dark web onion site and continues to monitor the published data. For more details, visit our Hide Your Data … Here Comes Egregor Ransomware blog.

SpearTip’s ShadowSpear® Platform is able to detect and prevent the evasion techniques and process injection techniques used by Egregor. SpearTip recommends a reliable EDR agent like ShadowSpear® installed on all company owned workstations and servers. Having a SIEM tool to collect logs from critical systems and a strong vulnerability management policy will improve an organization’s defensive posture.

SpearTip’s threat hunting expertise is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is stocked with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but they’re also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack. Visit speartip.com to learn more about us!