Egregor ransomware is a growing threat to enterprises around the world, the FBI warned this week in a new alert. Made available to cybercriminals on a ransomware-as-a-service model (lease your malware, share your profits) Egregor is being used by a large number of actors meaning “the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation”, the FBI warned in a January 6 Private Industry Notification.
For those napping, deeply, under a large rock, ransomware attacks typically involve your endpoints being locked, a ransom being demanded, then your data (stolen during the earlier network intrusion) leaked in a double-whammy of an extortion effort. The UK’s NCSC has warned businesses to ensure they have regular backups kept offline, saying that its team has seen “numerous incidents where ransomware has not only encrypted the original data on-disk, but also the connected USB and network storage drives holding data backups. Incidents involving ransomware have also compromised connected cloud storage locations containing backups.”
Egregor ransomware threat vectors vary, but watch out for…
Cybercriminals using Egregor are using the typical trio of initial threat vectors to attack their targets: phishing emails with malicious attachments, Remote Desktop Protocol (RDP) or vulnerable VPNs, the FBI said, adding that businesses should prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108.
Once Egregor gains access to the network, Egregor ransomware affiliates use common pen testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and move laterally across a network, and toolslike Rclone (sometimes renamed or hidden as svchost)and 7zip to exfiltrate data.
As Sophos noted late in 2020, the approach to launching the ransomware varied across the incidents it examined: “In some cases, it was launched by a script, and in others it was configured as a scheduled Windows task. As with Sekhmet, the Egregor ransomware itself is not an executable, but a dynamic link library (DLL) that is executed using Windows’ rundll32.exe utility. To evade sandbox detection, the DLL will only execute when given a password as a command line parameter.”
The Egregor ransomwore ring has posted the details of over 150 victims on its Tor hidden services (.onion) website, including manufacturers, logistics organisations, financial institutions, and technology companies. The FBI emphasises security hygiene basics like security software on all endpoints, highly restricted VPN and RDP access with MFA, and for businesses to review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools, as well as ensuring regular backups in multiple locations that are “not accessible for modification or deletion from the system where the data resides”.