Blog
What is Egregor ransomware? The new threat of 2020

What is Egregor ransomware? The new threat of 2020

Abstract shapeAbstract shape
Join 27,000+ cybersecurity newsletter subscribers

Since stepping into the cybercriminal arena in September 2020, the Egregor group has penetrated over 71 businesses globally, including recruitment giant Randstad and US retailer Kmart.

But who is the Egregor group and how have they managed to rise up as a significant cyber threat in just a few short months?

Who is Egregor?

Egregor is a cybercriminal group specializing in a unique branch of ransomware attacks. Egregor is a term in Western Magic referring to the collective energy of a group of people united with a common purpose.

it is speculated that the ransomware operators of notorious cybercrime group Maze, formed Egregor after shutting down their operations in October 2020.

Maze's ransomware attack efforts were far-reaching, providing the newly formed Egregor group a prominent platform to springboard from.

maze ransomware prevalence
Global reach of Maze ransomware infections - source: mcafee.com

Egregor earned its destructive reputation after the group successfully breached the Barnes & Noble and video game developers Crytek and Ubisoft in October 2020.

In the Barnes & Noble cyberattack, Egregor claimed to have accessed financial and audit information. In an internal email to its customers, Barnes & Noble stated that customer financial data was not stolen. The attack also caused temporary outages to Barnes & Noble's Nook e-readers.

In the Crytek and Ubisoft cyberattacks, the ransomware gang claimed to have exfiltrated the source codes for upcoming releases including Watchdogs: Legion and Arena of Fate. Egregor published a subset of the stolen data on their website on the dark web but the legitimacy of the source code breach was inconclusive.

Egregor is one of many cyber threats that have taken advantage of the sudden mass dependency on digital infrastructures brought about by the pandemic. Some of these threats are even specifically targeting the healthcare sector, which could have devastating consequences for Covid-19 patients.

Egregor operates on a ransomware as a service model.

What is ransomware as a service?

Ransomware as a Service (RaaS) is an adoption of the Software as a Service model (SaaS). model. Criminal affiliates subscribe to the ransomware software empowering even the most novel hackers to launch devastating and highly-complex ransomware attacks.

Because ransomware affiliates are paid prodigious dividends for each successful cyberattack, they are motivated to spread the malicious software, rapidly scaling the ransomware operation over a short period of time. Egregor's swift global expansion is evidence of this successful growth strategy.

What is Egregor ransomware?

Egregor ransomware is a form of malware that's a modification of both Sekhmet ransomware and Maze ransomware.  There are code similarities across all three ransomware variants, they also all seem to target the same victim demographic.

egregor global prevalence
Egregor ransomware victim demographic and targeted industries - Source: bleepingcomputer.com

Egregor ransomware attacks are characterized by their brutal, yet highly effective double-extortion tactics. The cybercrime group breaches sensitive data, encrypting it so that it cannot be accessed by the victim. They then publish a subset of the compromised data on the dark web as proof of the successful exfiltration.

The victim is then instructed in a ransom note to pay a set price within 3 days to prevent further personal data from being published on the criminal infested network. If the ransom price is paid before the ultimatum, full decryption of the seized data takes place.

egregor ransom note
Egregor ransom note - source: bleepingcomputer.com

How does Egregor ransomware work?

Egregor ransomware, like all ransomware, is injected into a victim via a loader. This loader and the subsequently installed ransomware undergoes extensive code obfuscation to mitigate static analysis and the possibility of decryption. The Egregor payload can only be analyzed by entering the same command line used to run the payload.

After a successful breach, the Egregor ransomware manipulates the victim's firewall settings to enable Remote Desktop Protocol (RDP). The software meticulously moves throughout the victim's network, clandestinely identifying and disabling all anti-virus software.

With all defenses disarmed, the Egregor ransomware encrypts all of the breached data and inserts a ransom note titled "RECOVER-FILES.txt" into all compromised folders.

Victims are instructed to download a dark web browser to communicate with the threat actors via a dedicated landing page on the dark web.

egregor landing page dark web
Egregor victim communication landing page on the dark web

Egregor ransomware threat mitigation

Because Egregor ransomware is a novel threat, cybersecurity experts are still in the process of understanding exactly how the threat operates. The following mitigation suggestions have been garnished from the analysis of security teams to date.

  • Monitor for Qakbot, Ursnif, and IceID malware infections

    Commodity malware such as Qakbot, Ursnif, and IceID have been observed to inject Egregor ransomware as a secondary payload.  If you identify these threats internally, or within your vendor network, immediate remediation is critical.
  • Educate all staff on the signs of phishing attacks.

    Phishing attacks are a common attack vector for injecting ransomware. They could create a gateway for Egregor ransomware, or any of its sister payloads - QakBot, Uesnif, and IceID malware.

    You should ensure your staff is aware of all the signs of a phishing attack and a clickjacking attack.

  • Set all anti-virus profiles to block all decoders, besides POP3 and IMAP.
  • Disable all remote access capabilities
  • Continuously monitor your security posture to strengthen all vulnerabilities.
  • Append an anti-virus profile to all security policies
  • Implement zone protection policies for all zones
  • Implement information security policies to all traffic from untrusted sources.
  • All security policies permitting traffic that contain "Service setting of ANY" should be removed

Is your business at risk of an Egregor ransomware attack?

Egregor is still just a new player in the cybercrime arena. Their initial attacks are already devastating and with such a sophisticated group of threat actors running the dark operation, the worst is still yet to come.

At UpGuard, we can protect your business from data breaches, identify all of your data leaks, and help you continuously monitor the security posture of all your vendors.

Check your resilience to data breaches, CLICK HERE to get your FREE security rating now!

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape