Egregor Ransomware Joins an Exclusive Club

Cyber security researchers are warning about a recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months. Similarities to Sekhmet Crypto-Locking malware and bee noted.

True to other ransomware hackers, the bad actors behind the Egregor ransomware are threatening to leak victims' data if the ransom demands are not met within three days. The cybercriminals linked to Egregor are also mimicking Maze tactics, creating a "news" site on the Darknet that offers a list of victims that have been targeted and updates about when stolen and encrypted data will be released. Egregors' ransom note also says that aside from decrypting all the files, that is if the company pays the ransom, they will also provide recommendations for securing the company's network; or 'helping' them to avoid being breached again.

It is not clear how much ransom Egregor is demanding or if any data has been leaked, yet a copy of one ransom note posted online notes these cybercriminals plan to release stolen data through what they call "mass media."

The Egregor ransomware variant was first spotted in mid-September by several independent security researchers, who posted samples of the ransom note on Twitter.

"The first time Egregor was analyzed by our team was earlier this week. We don't have specifics about how long it's operating but seems that the first public appearance of Egregor was September 18 on Twitter by @demonslay335 and @PolarToffee," a security researcher informed Information Security Media Group. "At this time, there are still only 13 companies in the 'hall of shame.'"

The recent alert notes that the Egregor variant appears to be a spinoff of another ransomware strain called Sekhmet, which has also been linked to criminal gangs threatening to release encrypted and stolen data if victims do not pay.

Analysts have noted that the Egregor ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code "unpacks" itself in memory to avoid detection by security tools. Without the right decryptor key, it is difficult to analyze the full ransomware payload to learn additional details about how the malware works.

"The Egregor payload can only be decrypted if the correct key is provided in the process' command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn't provided," according to the recent alert.

Researchers claim the use of the decryptor key makes a deeper analysis more difficult at this time. This means that if the analyst or researcher only have access to the packed file, without knowing how it was launched in the affected environment, Egregor's payload cannot be decrypted; thus executed.

The Egregor ransom note examined is vague and offers few clues about how the malware works and how the operators behind it will decrypt files once the ransom is paid. Unfortunately, there are no details on the ransom note or on the Egregor website. To get payment details, the victim needs to navigate to the deep web link Egregor provided and get instructions from the attacker through a live chat, which analysts have not conducted for security reasons. While it is not clear whether any data related to Egregor ransomware attacks has been leaked, security experts note that more cybercriminal gangs are using this technique to force victims to pay or as a warning to others.[1] Ransomware attacks are ever present.

Speaking at ISMG's Virtual Cybersecurity Summit in New York City last August, an attorney with the cybersecurity team at Baker Hostetler, said that in at least 25 percent of the ransomware cases his firm has helped investigate, attackers claimed to have not just crypto-locked systems but also to have exfiltrated data. This could be used in forcing compliance with the hacker’s threat of exposing internal documents.

In August 2020, the incident response firm Coveware released a report finding that of the thousands of ransomware cases the firm investigated in the second quarter of 2020, 30 percent involved attackers threatening to release stolen data.[2]

BTW - Egregore is an occult concept representing a distinct non-physical entity that arises from a collective group of people. Historically, the concept referred to angelic beings, or watchers, and the specific rituals and practices associated with them, namely within Enochian traditions.[3]

The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks such as ransomware. Red Sky Alliance offers tools and services to help stop these types of cyber-attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.

What can you do to better protect your organization today?

All data in transmission and at rest should be encrypted.
Proper data back-up and off-site storage policies should be adopted and followed.
Implement 2-Factor authentication company wide.
Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
Institute cyber threat and phishing training for all employees, with testing and updating.
Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
Ensure that all software updates and patches are installed immediately.
Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.

Articles about the cyber threat groups mentioned in this report can be found at https://redskyalliance.org There is no charge for access to these reports.

Our services can help protect with attacks such as these. We provide both internal monitoring in tandem with RedXray notifications on ‘external’ threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com