FBI warns of Egregor ransomware extorting businesses worldwide

The US Federal Bureau of Investigation (FBI) has sent a security alert warning private sector companies that the Egregor ransomware operation is actively targeting and extorting businesses worldwide.

The FBI says in a TLP:WHITE Private Industry Notification (PIN) shared on Wednesday that Egregor claims to have already hit and compromised more than over 150 victims since the agency first observed this malicious activity in September 2020.



"Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation," the US intelligence and security service says.

"Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices."

Phishing emails with malicious attachments and insecure Remote Desktop Protocol(RDP) or Virtual Private Networks are some of the attack vectors used by Egregor actors to gain access and to move laterally within their victims' networks.

Egregor uses Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind for privilege escalation and lateral network movement.

Affiliates are also using 7zip and Rclone, at times camouflaged as a Service Host Process (svchost) process, for data exfiltration before deploying the ransomware payloads on the victims' network.

The FBI also shared a list of recommended mitigation measures that should help defend against Egregor's attacks:

Back-up critical data offline.
Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
Install and regularly update anti-virus or anti-malware software on all hosts.
Only use secure networks and avoid using public Wi-Fi networks.
Use two-factor authentication and do not click on unsolicited attachments or links in emails.
Prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108).
Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools.
Securely configure RDP by restricting access, using multi-factor authentication or strong passwords.
RaaS operation with former Maze affiliates as partners
Egregor is a Ransomware as a Service operation that partners with affiliates who hack networks to deploy ransomware payloads, distributing the ransom payment earnings with the Egregor operators using a 70/30 split.

After infiltrating the victims' networks they also steal files before encrypting devices and use them as leverage under the threat of publicly leaking the stolen data if the ransom is not paid.

Egregor started operating after Maze shut down their operation, with many of the Maze affiliates immediately switching to Egregor's RaaS as BleepingComputer was told by threat actors.


Since September, Egregor affiliates have breached and encrypted the systems of multiple high-profile organizations including but not limited to Ubisoft, Kmart, Randstad, Barnes and Noble, Cencosud, Crytek, and Metro Vancouver's transportation agency TransLink.

Don't pay ransoms, report ransomware attacks
Victims are also advised not to pay the ransoms since this doesn't guarantee successful restoration of encrypted data and it also funds their future operations and encourages them to continue their attacks.

The agency urges victims to report any ransomware incidents they are involved in to help investigators track the threat actors behind them and to deter future attacks.



The FBI has asked companies and individuals affected by ransomware to report any infections for a while now so that it can get a better grasp of the threat and the legal reasons to prosecute ransomware gangs and their operators.

OFAC (the Treasury Department's Office of Foreign Assets Control) said last year that organizations assisting ransomware victims to make ransom payments are also facing sanction risks as their actions could violate OFAC regulations.

Victims were urged to immediately contact OFAC if and when they believe a ransomware payment request may involve a sanction nexus to avoid potential sanction risks themselves.