FBI Issues Alert Over Growing Egregor Ransomware Threat
Bureau And Security Experts Warn About Gang's Effective Extortion Model
Scott Ferguson (Ferguson_Writes) • January 9, 2021
Credit Eligible
FBI Issues Alert Over Growing Egregor Ransomware Threat
An example of an Egregor ransomware note used during a previous attack (Source: Digital Shadows)
The FBI issued a private industry warning this week over the growing threat from the operators behind the Egregor ransomware variant and other cybercriminal gangs affiliated with the group.
See Also: Top 50 Security Threats
Since September, the FBI alert notes that the Egregor gang and its affiliates claim to have compromised approximately 150 corporate networks both in the U.S. and other countries. In some cases, the extortion demands have reached upwards of $4 million, according to a previous report by cybersecurity firm Group-IB.
The FBI alert notes that Egregor operates in a service model, which includes the operators of the actual ransomware as well as affiliated cybercriminals that carry out their own attacks and receive a percentage of the ransom if the money is paid by the victim. This makes defending and mitigating against these types of attacks difficult.
"Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures used in its deployment can vary widely, creating significant challenges for defense and mitigation," the FBI alert notes. "Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices."
Other researchers have noted that Egregor is one of several cybercriminal operations that exfiltrates data before crypto-locking systems and files, and then threatens to leak the information unless it receives a ransom from the victim. The now-defunct Maze group began using this tactic in November 2019, after which more than a dozen other operators followed suit, including the REvil, aka Sodinokibi, gang.
While fairly new, the Egregor gang and its affiliates have been tied to several high-profile attacks over the past five months, including ones that targeted a Canadian public transportation agency and a Dutch human resources and staffing firm in December. The ransomware is also believed to have compromised the networks of Barnes & Noble and Kmart (see: Egregor Ransomware Slams HR Firm and Transport Agency).
Techniques
The FBI alert notes that the operators behind Egregor typically use phishing emails with malicious attachments or links as part of the initial attack vector. The gang is also known to exploit vulnerabilities in Microsoft's Remote Desktop Protocol tool and VPNs to gain initial access before moving laterally throughout the network.
Once the network is compromised, Egregor will deploy legitimate penetration testing tools such as Cobalt Strike, Advanced IP Scanner and AdFind to escalate administrative privileges and move laterally through a network.
The gang or its affiliates will also use tools such as Rclone, which is sometimes hidden or renamed as a service host process dubbed "svchost," and 7zip to steal and exfiltrate data before the final ransomware payload is delivered and files are encrypted, according to the FBI.
Brett Callow, a threat analyst at security firm Emsisoft, notes that the Egregor gang and its affiliates will also use other unusual techniques as part of their attack.
"There are a couple of unusual things about Egregor. First, it can spit out the ransom note on any connected printer - which seems like a somewhat odd move as it often results in incidents quickly becoming public knowledge, meaning companies no longer have the incentive to pay quickly and quietly to avoid publicity," Callow tells Information Security Media Group. "Secondly, the group initially racked up victims at an unprecedented rate. This is probably because multiple threat actors joined Egregor's affiliate program after the Maze group ended its operation, taking with them details of compromised networks that had yet to be exploited."
And while Egregor's operators have developed multiple methods to hide their tactics and techniques, and have also made the source code difficult to analyze, Callow says that the ransomware acts much like other crypto-locking malware.
Jamie Hart, a cyber threat intelligence analyst at security firm Digital Shadows, notes that Egregor shares many similarities with the now-defunct Maze ransomware gang, with both targeting the same types of victims and using similar language in their ransomware notes.
"Significant similarities in the profiles of their victims and analysis of ransom notes indicate that the Maze ransomware operators, which closed operations in October 2020, are now running the Egregor ransomware variant," Hart says. "Although neither group has confirmed this theory, the timeline of Maze calling it quits is interestingly coincidental to Egregor taking off. Activity conducted by Egregor suggests the operators are extremely sophisticated and likely have experience in the ransomware landscape."
Mitigation
The FBI alert also notes that businesses and other organizations can take several steps to mitigate Egregor and other ransomware attacks, including:
Backing-up critical data offline;
Ensuring that copies of critical data are in the cloud or on an external hard drive or storage device;
Securing back-ups and ensuring data is not accessible for modification or deletion from the system where the data resides;
Utilizing two-factor authentication;
Prioritizing patching of public-facing remote access products and applications, including recent RDP vulnerabilities such as CVE-2020-0609, CVE-2020-0610 and CVE-2020-16896;
Finally, security teams should be reviewing suspicious BAT and DLL files with recon data and exfiltration tools.
The FBI also notes that those who are targeted by ransomware should not pay the ransom, as it will likely encourage additional criminal activity. The U.S. Treasury Department has also warned organizations not to pay ransoms, as they could face sanctions (see: Treasury Dept. Warns Against Facilitating Ransom Payments).
Scott Ferguson (Ferguson_Writes) • January 9, 2021
Credit Eligible
FBI Issues Alert Over Growing Egregor Ransomware Threat
An example of an Egregor ransomware note used during a previous attack (Source: Digital Shadows)
The FBI issued a private industry warning this week over the growing threat from the operators behind the Egregor ransomware variant and other cybercriminal gangs affiliated with the group.
See Also: Top 50 Security Threats
Since September, the FBI alert notes that the Egregor gang and its affiliates claim to have compromised approximately 150 corporate networks both in the U.S. and other countries. In some cases, the extortion demands have reached upwards of $4 million, according to a previous report by cybersecurity firm Group-IB.
The FBI alert notes that Egregor operates in a service model, which includes the operators of the actual ransomware as well as affiliated cybercriminals that carry out their own attacks and receive a percentage of the ransom if the money is paid by the victim. This makes defending and mitigating against these types of attacks difficult.
"Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures used in its deployment can vary widely, creating significant challenges for defense and mitigation," the FBI alert notes. "Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices."
Other researchers have noted that Egregor is one of several cybercriminal operations that exfiltrates data before crypto-locking systems and files, and then threatens to leak the information unless it receives a ransom from the victim. The now-defunct Maze group began using this tactic in November 2019, after which more than a dozen other operators followed suit, including the REvil, aka Sodinokibi, gang.
While fairly new, the Egregor gang and its affiliates have been tied to several high-profile attacks over the past five months, including ones that targeted a Canadian public transportation agency and a Dutch human resources and staffing firm in December. The ransomware is also believed to have compromised the networks of Barnes & Noble and Kmart (see: Egregor Ransomware Slams HR Firm and Transport Agency).
Techniques
The FBI alert notes that the operators behind Egregor typically use phishing emails with malicious attachments or links as part of the initial attack vector. The gang is also known to exploit vulnerabilities in Microsoft's Remote Desktop Protocol tool and VPNs to gain initial access before moving laterally throughout the network.
Once the network is compromised, Egregor will deploy legitimate penetration testing tools such as Cobalt Strike, Advanced IP Scanner and AdFind to escalate administrative privileges and move laterally through a network.
The gang or its affiliates will also use tools such as Rclone, which is sometimes hidden or renamed as a service host process dubbed "svchost," and 7zip to steal and exfiltrate data before the final ransomware payload is delivered and files are encrypted, according to the FBI.
Brett Callow, a threat analyst at security firm Emsisoft, notes that the Egregor gang and its affiliates will also use other unusual techniques as part of their attack.
"There are a couple of unusual things about Egregor. First, it can spit out the ransom note on any connected printer - which seems like a somewhat odd move as it often results in incidents quickly becoming public knowledge, meaning companies no longer have the incentive to pay quickly and quietly to avoid publicity," Callow tells Information Security Media Group. "Secondly, the group initially racked up victims at an unprecedented rate. This is probably because multiple threat actors joined Egregor's affiliate program after the Maze group ended its operation, taking with them details of compromised networks that had yet to be exploited."
And while Egregor's operators have developed multiple methods to hide their tactics and techniques, and have also made the source code difficult to analyze, Callow says that the ransomware acts much like other crypto-locking malware.
Jamie Hart, a cyber threat intelligence analyst at security firm Digital Shadows, notes that Egregor shares many similarities with the now-defunct Maze ransomware gang, with both targeting the same types of victims and using similar language in their ransomware notes.
"Significant similarities in the profiles of their victims and analysis of ransom notes indicate that the Maze ransomware operators, which closed operations in October 2020, are now running the Egregor ransomware variant," Hart says. "Although neither group has confirmed this theory, the timeline of Maze calling it quits is interestingly coincidental to Egregor taking off. Activity conducted by Egregor suggests the operators are extremely sophisticated and likely have experience in the ransomware landscape."
Mitigation
The FBI alert also notes that businesses and other organizations can take several steps to mitigate Egregor and other ransomware attacks, including:
Backing-up critical data offline;
Ensuring that copies of critical data are in the cloud or on an external hard drive or storage device;
Securing back-ups and ensuring data is not accessible for modification or deletion from the system where the data resides;
Utilizing two-factor authentication;
Prioritizing patching of public-facing remote access products and applications, including recent RDP vulnerabilities such as CVE-2020-0609, CVE-2020-0610 and CVE-2020-16896;
Finally, security teams should be reviewing suspicious BAT and DLL files with recon data and exfiltration tools.
The FBI also notes that those who are targeted by ransomware should not pay the ransom, as it will likely encourage additional criminal activity. The U.S. Treasury Department has also warned organizations not to pay ransoms, as they could face sanctions (see: Treasury Dept. Warns Against Facilitating Ransom Payments).
