Egregor: A Ransomware on the Rise

After disrupting lots of businesses and making money, Maze ransomware announced its departure. However, there won’t be a gap as other ransomware are ready to fill in.

One of the prominent names in the list is a variant of Ransom.Sekhmet, called Egregor.  According to ZDNet, clients are now thought to be turning to Egregor as a substitute soon after Maze operators announced their retirement. It is, furthermore, touted that Egregor source code bears similarities with Maze ransomware.

Background

  • According to an analysis from Appgate, Egregor has been active since mid-September.
  • Within a short span of its discovery, the ransomware has been linked to alleged attacks against organizations such as GEFCO,  Crytek, Ubisoft, and Barnes & Noble, with the latest being Cencosud.
  • All in all, the ransomware has set its foothold in the cybercrime world by breaching at least 69 companies in 16 countries till today.
  • The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and finally demanding ransom in exchange for a decryption key.
  • Moreover, Egregor has been associated with the Ransomware-as-a-Service (RaaS) model in which customers can subscribe for access to the malware.
  • Packed with a range of anti-obfuscation techniques, the ransomware’s functionality is considered to be similar to Sekhmet.

At par with the big players

  • Similar to many powerful ransomware variants, Egregor uses the dual-threat of naming and shaming victims and releasing stolen data to increase pressure on a victim.
  • To make it swifter and grab attention, the operators took a unique step to extort its latest victim Cencosud.
  • They hijacked all printers (in addition to computers) at the checkouts of numerous retail outlets and controlled them to spit out ransom notes.

Sets another benchmark in a short period  

  • Adding one more feather to its cap, the ransomware is among the few to have partnered with other malware.
  • QakBot, also called QBot, has allegedly abandoned ProLock ransomware and opted for Egregor ransomware as its payload.

The bottom line

Egregor’s RaaS operation is gaining momentum since the retirement of the notorious Maze ransomware gang. With nearly 70 victims in its list of targets, this ransomware has emerged as a major threat in a short period of time. Given its ability to collaborate with other hackers and attack high profile organizations, Egregor is anticipated to stay here for long.