Introducing Egregor Ransomware Group
First observed on September 25th, 2020, the Egregor ransomware variant has been making considerable strides in Maze’s wake, another ransomware threat actor that ceased operations in October of 2020.
Some security researchers have drawn many parallels between the two groups— including overlap in malware signatures, the victimology (with the majority of victims belonging to the Industrial Goods & Services Sector), and the practice of leaking company’s sensitive data on a dark web based “News” website.
While there is no way of verifying these claims, we can determine from an analysis of their activity and ransomware that Egregor has become the leading variant, with much potential to become a more significant threat to your organization in the coming months.
Who Is the Egregor Ransomware Group? A Busy Quarter:
Egregor has had a very dynamic Q4. As of November 17th, 2020, the Egregor ransomware group has named 71 victims spanning across 19 different industry verticals. The level of sophistication of their attacks, adaptability to infect such a broad range of victims, and significant increase in their activity suggests that Egregor ransomware operators have been developing their malware for some time and are just now putting it to (malicious) use.
In terms of motives, Egregor’s double-extortion ransomware model proves them to be financially-motivated. Following this model, Egreggor completes a breach and then begins to release data easily traceable to the victim as proof while demanding a hefty ransom sum to be paid in exchange for not releasing more. While their ransomware model is consistent, Egregor’s victims may vary. Overall trends we found were that victims clustered in the Industrial Goods & Services sector (38%), and a vast majority were US-based companies (83%).
Figure 1: Egregor victims by country
Egregor victims have increased 240% from September 25th (15 incidents) to October 31st (51 incidents) and 43% as of November 17th, bringing total incidents to 71.
Figure 2: Egregor activity since 25 September. Source: Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection)
Egregor first caught the cybersecurity world’s attention in October with their attack on Barnes & Noble and video game producers Ubisoft and Crytek. From Barnes & Noble, Egregor operants release two Windows Registry hives— contending they contained highly sensitive financial data about the bookseller within.
In the attack against the video game industry giant, Ubisoft, Egregor claimed to have stolen source code for a not yet released Ubisoft game “Watchdogs: Legion.” While there was no confirmation from Ubisoft employees on the matter, the gang released 200MB of data about in-game assets. It is possible this information could’ve been obtained from some other source online. Still, given the company’s history with threat actor successes from email phishing— gaining access to data through emails sent to employees with malicious attachments or links to trigger the malware on the target system— it is highly likely that this was a targeted success.
Another massive gaming company, Crytek, confirmedthey had lost almost 400MB of data relating to their first-person shooter game, “Warface,” and the now-closed multiplayer online battle game, “Arena of Fate.” Given the demonstrated level of increased activity and apparent technical sophistication, this is realistically possible. Egregor attacks will likely continue over the short-term future.
How Does Egregor Ransomware Group Act?
Since the Egregor ransomware group has only been active as of September 25th, there is limited information about their common tactics, techniques, and procedures (TTP’s).
So far, our researchers have found that the Egregor malware maintains multiple anti-analysis techniques such as code obfuscation and packed payloads, making it challenging to analyze the malware. More specifically, Windows application programming interfaces (APIs**)** are leveraged to encrypt the payload data. Unless security teams can present the correct command-line argument, then the data cannot be decrypted, and the malware cannot be analyzed***.***
When the correct command-line argument is presented, the malware executes by injecting into iexplore.exe process, encrypting all text files and documents, and enclosing a ransom note (*pictured below)*within each folder that has an encrypted file. This process includes files on remote machines and servers through checks on Logmein event logs.
Figure 3: Egregor ransomware group’s ransom note
Regarding data leakage, the ransom note instructs Egregor ransomware victims to download the dark web browser TOR and contact their developers within three days. If the victim does not follow instructions and pay up, their company data will be published to the “Egregor News” data leak site (DLS) for public consumption.
Operators of other pieces of malware, such as the Quakbot (also known as Qbot), have taken notes from Egregor’s progress and evolved. Their banking trojan is suspected to have recently abandoned Prolock in favor of Egregor ransomware in its deployments.
How Can I Protect My Organization Against Egregor Ransomware?
Given their sophisticated technical capabilities to hinder analysis of malware and target a large variety of organizations across the ransomware landscape, we can only conclude that the Egregor ransomware group will likely continue in the future, posing more and more of a risk to your organization.
Figure 5: Using Shadow Search (now ReliaQuest GreyMatter Digital Risk Protection) Summary View to view references to Egregor
Knowing this can leave you or your organization feeling helpless, but more importantly, these attacks are by and large preventable. We’ve collected a list of their MITRE ATT&CK techniques and IOC’s and shared them at the end of this blog.
How Can I Stay Up to Date on the Ransomware Landscape?
Tracking ransomware groups’ tactics and trends can be daunting, and it’s easy to get buried in all the information out there.
Looking to keep updated on threat actor activity as well as gain actionable insights from ransomware trends? SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) presents threat intelligence and assesses the risk certain actors pose to your industry, company, and assets.
Figure 6: Subscribing to the Egregor tag in SearchLight
If you’re a Digital Shadows (now ReliaQuest) client, you’ll be able to subscribe to the Egregor tag, or use this search term to set up alerts on new instances of Egregor victims:
MITRE ATT&CK techniques:
Valid Accounts (T1078)
PowerShell (T1086)
System Services: Service Execution (T1569)
Account Manipulation (T1098)
Brute Force (T1110)
Account Discovery (T1087)
Abuse Elevation Control Mechanism: Bypass User Access Control (T1548)
File Permissions Modification (T1222)o Data Encrypted for Impact (T1486)
Inhibit System Recovery (T1490)
System Information Discovery (T1082)
Process Discovery (T1057)
Screen Capture (T1113)
Compile After Delivery (T1500)
Service Execution (T1035)
Account Manipulation (T1098)
Credentials in Registry (T1214)
Phishing (T1566)
Create or Modify System Process (T1543)
Impair Defenses (T1562)o Data Obfuscation (T1001)
