Egregor on an Attacking Spree Around the World
Egregor ransomware has now compromised more than 150 victims since its first appearance in September 2020. The FBI recently released a security alert warning private sector firms about this ransomware.
Egregor ransomware uses several mechanisms to target business networks, such as compromising business networks and personal accounts of employees sharing access with business networks or devices.
- The most targeted sectors by this ransomware include enterprise, manufacturing, education, transport, and retail. In addition, the affected regions include South and North Americas and Western Europe.
- Email phishing is believed to be the initial method of infection used by the Egregor operators. Phishing emails laden with attachments and exposed RDP or VPNs are some of the attack vectors used by Egregor to gain access into the victim’s network.
- In addition, the ransomware uses a post-exploitation tool such as Cobalt Strike, Qakbot/Qbot malware, Advanced IP Scanner, along with AdFind, for lateral network movement and privilege escalation.
RaaS with former Maze affiliates
Egregor operates as a RaaS and has worked with former Maze affiliates that hacked networks to deploy ransomware payloads. In addition, the Egregor group shares ransom payment earnings with its operators in a 70/30 split.
- In the past month, SystemBC was used in several Ryuk and Egregor attacks, often used in combination with post-exploitation tools.
- The group has targeted several organizations, including Randstad NV, TransLink, Kmart, Spring Independent School District, and Cencosud.
In the light of rising ransomware attacks, security teams must strongly consider backing-up critical data offline more often than ever, install and regularly update anti-virus or anti-malware software on all hosts, use two-factor authentication, and configure RDP by restricting access.