Watch Out for the New Kid on the Block: Egregor Ransomware
Table of Contents
- By Dawna M. Roberts
- Published: Oct 26, 2020
- Last Updated: Mar 18, 2022
A new threat of ransomware called Egregor is hitting the streets hard and attacking corporate data that the hijackers then threaten to leak.
What is Egregor?
Since September, corporate entities have been under attack by a new cybercriminal group using ransomware called Egregor (which stands for a group of individuals). Researchers claim the name is an occult reference meaning collective energy with a common purpose.
The ransomware itself stems from an older version called Sekhmet ransomware. Security expert Gustavo Palazolo of Appgate told Threatpost in an interview on the subject that "We found similarities in both Sekhmet and Egregor ransomware, such as obfuscation techniques, functions, API calls and strings, such as %Greetings2target% and %sekhmet_data% changing to %egregor_data%. Furthermore, the ransom note is also fairly similar."
Who Was Affected?
Recently the group used its signature ransomware to target Barnes and Noble bookstores. In September, the attack occurred, and Barnes and Noble's officials confirmed that the group encrypted files containing customer emails, shipping, and billing addresses, and purchase history. The group threatened to leak the data if B&N didn't pay up.
Along with Barnes and Noble, Egregor has also hit a few gaming companies such as Ubisoft and Crytek. With Ubisoft, the hacker collective took control of servers and threatened to leak the source code for the game Watch Dogs: Legion, a month before its release to the public. In the Crytek incident, the cyber thieves actually leaked 300MB of data related to the development of games such as Warface and Arena of Fate.
Currently, 13 U.S. companies have fallen victim to Egregor, including the global logistics company GEFCO who was attacked just last week. The hacker gang keeps a website on the dark web called Egregor News, where they share the complete list of victims they are calling the "hall of shame."
Along with a few U.S. targets, businesses in Italy, Mexico, Saudi Arabia, Germany, and France have also been hit by Egregor.
Ransom Note Details
Threat researchers aren't sure when Egregor first started operating, but it was first noted on Twitter on September 18. Unlike many ransomware attacks, with Egregor, the victim is given only three days to pay, and then the data will be leaked via "mass media," announcing the attack to the world so there will be no way to keep it quiet. Threatpost shared a snippet of the actual ransom note, which read, "What does it mean? It means that soon mass media, your partners, and clients WILL KNOW about your PROBLEM."
As of yet, hackers have not leaked any data via mass-media. However, security experts did find some of the leaked data on the dark web for viewing.
Another section of the ransom note reads, "(In case the payment is done) … You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter." This means that along with getting their data back, the victims will receive security recommendations from the cybercriminals so they won't be hacked again.
Appgate's Palazolo commented that "The 'security recommendations' caught our attention since it's something unusual for a criminal group; they are trying to play good guys by suggesting they would try to help secure your network."
Unfortunately, the ransom note does not include any details about the payment amount. What it does is run the victim through a maze to obtain the figure before paying it. The note includes a link to a website on the deep web along with instructions on how to open a live chat with the hacker to find out how to pay the ransom. So far, security experts have not gotten that far.
The Problem
Unfortunately, this latest strain of ransomware has built-in anti-analysis features such as code obfuscation and packed payloads, making it very difficult to reverse engineer and combat. The only way to remove the encryption is to enter the correct key in the command line. The key is supplied upon payment of the ransom.
Many of the latest ransomware attacks include this double-extortion method, where the threat actors not only steal and encrypt the data. They then immediately threaten to leak it online to the public. So far, this technique does not seem to be working in that most victims do not pay.
Retail Companies Watch Out!
Since Egregor has switched tactics and targets and is now actively searching for ways to gain access to major retail outlets, companies need to step up their security game and look out for this dangerous threat. Experts warn companies also to take these measures:
- Keep reliable backups of all your systems.
- Update operating systems with the latest security patches immediately.
- Protect your data with strong encryption algorithms.
- Have a security firm assess and implement other security measures to keep everything safe.
