What is Egregor Ransomware?

Anti VirusCyber SecuritySafe & Security

A cybercriminal organization known as Egregor focuses on a particular subset of ransomware operations. In Western magic, the collective energy of a group of people working together toward a shared goal is referred to as Egregor.

It is believed that after ceasing operations in October 2020, the prominent cybercrime group Maze's ransomware developers founded Egregor. The extensive scope of Maze's ransomware assault attempts gave the newly established Egregor group a significant foundation to build upon.

After successfully breaking into Barnes & Noble, video game developers Crytek and Ubisoft, and Barnes & Noble, in October 2020, Egregor gained a reputation for being destructive.

Egregor is only one of several cyber threats that have benefited from the pandemic's abrupt increase in people's reliance on digital infrastructures. Some of these attacks even expressly target the healthcare industry, which might have terrible repercussions for people with Covid-19. Ransomware as a service is the operating model for Egregor.

What is Ransomware as a Service (RaaS)?

Software as a Service (SaaS) is being used by ransomware as a service (RaaS). Even the most innovative hackers can launch devastating and extremely sophisticated ransomware assaults thanks to criminal affiliates' subscriptions to the ransomware software.

Affiliates of ransomware are incentivized to spread the harmful software because they receive enormous payouts for each successful cyberattack, which causes the ransomware business to scale very quickly over a short period of time. The quick international growth of Egregor is proof of this effective growth approach.

What is Egregor Ransomware?

The malware called Egregor ransomware is a combination of Sekhmet ransomware and Maze ransomware. All three ransomware variations share code, and it appears that they are all aimed at the same type of victim.

Attacks using the Egregor ransomware are distinguished for their cruel but extremely successful double-extortion strategies. Sensitive data is stolen by a cybercrime organization, which then encrypts it to prevent the victim from accessing it. Then, as evidence of the successful exfiltration, they post a portion of the infiltrated data on the dark web.

The victim Is then given instructions in a ransom note to pay a predetermined sum within three days to stop the criminal network from publishing any more personal information. The data that has been seized is fully decrypted if the ransom is paid before the deadline.

Egregor Ransomware − How Does It Operate?

Like all ransomware, the Egregor variant enters a victim by a loader. In order to prevent static analysis and the potential for decryption, this loader and the ransomware that is deployed after it both undergo severe code obfuscation. Only the command line used to run the Egregor payload can be utilized to examine the payload.

The Egregor ransomware modifies the victim's firewall settings after a successful intrusion to enable Remote Desktop Protocol (RDP). The program carefully navigates the victim's network while secretly locating and deactivating every anti-virus program.

The Egregor ransomware encrypts all of the data that has been compromised after disabling all defenses and inserts a ransom note with the filename "RECOVER-FILES.txt" into every compromised folder.

In order to communicate with the threat actors through a specific landing page on the dark web, victims are prompted to download a dark web browser.

How to Mitigate the Risk of Egregor Ransomware?

Security professionals are still working to fully comprehend the operation of the Egregor ransomware threat because it is a new threat. The analysis done thus far by security teams has led to the following mitigation recommendations.

  • Keep an eye out for infestations with the malware Qakbot, Ursnif, and IceID. Egregor ransomware has been seen to be injected by common malware such as Qakbot, Ursnif, and IceID. Immediate response is essential if you discover these vulnerabilities inside or within your vendor network.

  • Inform every employee of phishing attack warning flags.

  • Ransomware is often introduced through phishing campaigns. They may establish a gateway for the Egregor ransomware or any of its sister payloads, including the malware known as QakBot, Uesnif, and IceID.

  • Make sure everyone on your staff is aware of the warning signals of phishing and clickjacking attacks.

  • Other than POP3 and IMAP, configure all anti-virus profiles to ban all decoders.

  • Turn off all remote access features.

  • Keep an eye on your security posture to patch up any weaknesses.

  • Add a viral profile to all security regulations.

  • Apply zone protection guidelines to all zones.

  • Apply information security regulations to all traffic coming from unreliable sources.

  • Remove all security policies that allow traffic with "Service setting of ANY"

Egregor is still a relatively new actor in the field of cybercrime. Even if their initial attacks were devastating, the worst is yet to come because such a highly skilled squad of threat actors is in charge of the covert operation.

Updated on 05-Aug-2022 12:47:21