Egregor - A New Ransomware Gang on the Rise

Egregor is a ransomware from the Sekhmet malware family that has been active since the middle of September 2020. The ransomware group hacks into companies, steals information, and finally encrypts all the data. Recently, the group targeted a popular book outlet company Barnes & Noble located in the U.S.

What happened?

  • In the recent attack on Barnes & Noble, the ransomware group claimed to have stolen unencrypted files and leaked screenshots of two Windows Registry hives as a proof. 
  • The organization confirmed that affected data included email, shipping, billing, addresses, and purchase history.

How did the attack unfold? 

  • The attacker would initially gain unauthorized access to a Windows domain administrator account at corporate systems.
  • Subsequently, another threat actor was handed over access to the hacked network on October 10 who then encrypted the network's devices, holding the firm for a ransom.

Recent incidents

Apart from targeting retail outlets, the ransomware group has been targeting the gaming industry, threatening data leak.
  • Recently, the ransomware group targeted a big gaming firm known as Ubisoft. The group threatened to leak the source code of Watch Dogs: Legion, a game to be released next month.
  • In addition to this, the ransomware group targeted Crytek, where they leaked 300 MB of data. The leaked information was related to the development process of games including Arena of Fate and Warface.

Additional insights

The ransomware possesses multiple anti-analysis techniques, such as code obfuscation and packed payloads. Along with these, the ransomware payload can only be decrypted if the correct key is given in the process's command line, signifying that the file cannot be analyzed manually or using a sandbox.

Conclusion

The Egregor ransomware group is very active right now and has shifted its attacks from online games to the retail sector. In the future, it may further change its targeted sectors. Therefore, all organizations should proactively take adequate measures, such as taking backup, updating the system with the latest patches, and protecting data with strong encryption, as suggested by experts.