8233831888?profile=RESIZE_400xThe operators behind the Qbot banking Trojan are now deploying a recently uncovered ransomware variant called Egregor, according to researchers at Singapore-based cybersecurity firm Group-IB.  Since September 2020, the Egregor ransomware variant has targeted companies in 16 countries.  The crypto-locking malware has also developed a reputation for "big-game hunting" attacks, with the operators demanding $4 million or more from victims, according to the Group-IB analysis. 

Ransomware gangs know that many businesses would rather hide a ransomware attack than make it public, including to employees, for fear of the news affecting stock prices and their reputation.  To increase public awareness of the attack and pressure a victim into paying, the Egregor operation is known to repeatedly print ransom notes from all available network and local printers after an attack.

Qbot, also known as Qakbot, first surfaced in 2008.  The Qakbot trojan is distributed via email spam campaigns or is dropped as a second-stage payload on computers previously infected with the Emotet trojan.  System administrators who find computers infected with either of these two malware strains should isolate systems and audit their networks, as the ProLock gang could be already infecting their systems.  The malware has been primarily deployed to steal banking data and credentials.  Recently, its operators have made adjustments to its source code to allow Qbot to deploy other types of malware, security researchers stated.   Previously, the operators behind Qbot distributed ransomware called ProLock.

The ProLock gang began its attacks in late 2019.  They initially operated under the name of PwndLocker but introduced a major code upgrade and changed their name to ProLock in March 2020, after security researchers identified a bug in the original PwndLocker strain and released a free decrypter.

Egregor is the latest ransomware strain that uses a "hack-and-leak" strategy, where the cybercriminal gang threatens to leak the victims' stolen data if the ransom demands are not met within a certain time.  Other groups that are known to use this strategy are the now-defunct Maze group, which first popularized the tactic, and Sodinokibi, also known as REvil.

It is unclear why the Qbot operators switched to Egregor, but researchers note one possibility could be the desire to capitalize on the effectiveness of the hack-and-leak tactics.  Egregor has been linked to several high-profile incidents, including attacks against Barnes & Noble, Canon USA, Crytek, and Ubisoft.   "In less than three months, Egregor operators have managed to successfully hit 69 companies around the world, with 32 targets in the US, seven victims in France and Italy each, six in Germany, and four in the UK," the Group-IB report notes."

The Group-IB report says the latest Qbot campaign typically starts with phishing emails that contain malicious Microsoft Excel documents designed to look like DocuSign-encrypted spreadsheets. If the documents are opened, the Egregor ransomware is installed within the device.  The operators behind Egregor use legitimate penetration testing tools, such as Cobalt Strike, to help laterally spread through the victim's network to steal and encrypt the data.  The ransomware also uses Rclone, an open-source cloud hosting platform, for data exfiltration.  "The decryption of the final payload is based on the command-line provided password, so it is impossible to analyze Egregor if you do not have command-line arguments provided by the attacker," according to the report. "Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption."

Although many of the tactics and techniques deployed by Egregor resemble ProLock, its source code is like that of Maze ransomware.  This is because an increasing number of Maze partners are joining Egregor, leading to an overlap between Egregor and Maze infrastructures.  "It is important to note that the fact many Maze partners started to move to Egregor will most likely result in the shift in the [tactics, techniques, and procedures], so defenders should focus on known methods associated with Maze affiliates," a senior analyst at Group-IB, noted in the report.

With ransomware developers increasingly offering their malicious tools through renting or service models, criminal groups are hiring more affiliates to help distribute the malware and carry out attacks, which increases profit margins for the operators who control the larger operations.  "We have seen the creation of multiple ransomware variants and data leak sites every month, and this trend is likely to continue due to the high popularity of ransomware and ransomware-as-a-service (RaaS) variants," says security firm Digital Shadows.

Because a common tactic for many ransomware groups is to target vulnerabilities in Remote Desktop Protocol connections used in Windows devices, organizations should restrict RDP access behind a gateway to help prevent attacks.  Since these groups are prolifically advertising their services and toolkits, the number of attacks is likely to surge in the coming months, says London-based Information Security Forum.

"Organizations should have an incident response or crisis management plan for ransomware events, knowing who to contact and what to do," Security Forum states.  "This should be regularly rehearsed so that if ransomware hits, the organization can recover swiftly.  Payment of a ransom is also a contentious discussion - in many cases, the ransom may be cheaper than replacing a suite of locked devices.  Therefore, it becomes a cost decision.  However, you can never trust that the attacker will unlock the devices, making it a gray area."

Red Sky Alliance has been tracking cybercriminals for years.  Throughout our research, we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cybersecurity, and proper employee training are keys to success, yet woefully not enough.  Our current tools provide a valuable look into the underground, where malware like Qbot and Egregor are bought and sold, and help support current protections with proactive underground indicators of compromise.  Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.

Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.  

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com  

Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949

 

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!