Egregor Ransomware: In-Depth Analysis, Detection, and Mitigation
What Is Egregor Ransomware?
Egregor ransomware is part of the Sekhmet malware family that has been active since mid-September 2020. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and demanding a ransom to exchange encrypted documents. The Egregor ransomware has been used in several attacks against large organizations, including the French media company Le Monde and the Canadian government.
What Does Egregor Ransomware Target?
Egregor ransomware targets organizations across all industries, with focus on healthcare, education, financial services, manufacturing and retail industries. Egregor is known to heavily target school districts and higher education institutions.
What Is Ransomware as a Service?
RaaS (Ransomware as a Service) is a business model in which cybercriminals offer a ransomware attack service to other individuals or groups. In this model, the RaaS provider typically develops and maintains the ransomware software and then rents or sells access to it to other individuals or groups who use it to launch attacks. In addition, the RaaS provider typically takes a percentage of the ransom payment as their fee for the service.
RaaS is often offered on the dark web, and it has become increasingly popular in recent years. With RaaS, even those with minimal technical skills can launch a ransomware attack, making it a low-barrier-to-entry method for cybercriminals to generate revenue. It has also become more sophisticated and professionalized, with RaaS providers offering customer support and marketing services to help their clients maximize their ransom payments. Some of these services, like DataKeeper and Ranion, have been available for years. The appeal of RaaS is that it requires almost no barrier to entry for cybercriminals, as it requires zero prior coding or development knowledge.
To conclude, RaaS offers instant results and is cheap to launch. Typically, these services require an “up front” payment or a share of the profits once the victims pay.
How Does Egregor Ransomware Work?
Egregor is primarily distributed using Cobalt Strike. It targets compromised environments, which can be accessed through methods like RDP exploit and phishing. Once the Cobalt Strike beacon payload is established and made persistent, it is used to deliver and launch Egregor payloads.
Egregor Ransomware Technical Details
Egregor ransomware is an evolution of the Sekhmet family, which includes Maze and Sekhmet ransomware. It has a similar configuration format and obfuscation style to Sekhmet, as well as an extra feature: executable payloads require a key for execution, which helps with anti-analysis. Additionally, Egregor operators may download, deploy and use tools such as mimikatz, PowerTool, and netscan. Egregor has been observed leveraging AES.ONE for component delivery as well.
When a system is infected with Egregor, it begins to encrypt files on the system with AES-256 encryption. It also appends the .Egregor extension to the encrypted files. The ransomware then drops a ransom note, which contains instructions on how to pay the ransom and decrypt the files.
Egregor also has a number of other malicious capabilities, including the ability to spread to other systems on the same network, steal credentials, and exfiltrate data. It can also delete backups, disable security software, and disable services.
To protect against Egregor Ransomware, it is important to prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108). This is because Egregor ransomware is known to exploit RDP vulnerabilities to gain initial access to a victim’s network.
Another important step is to review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools. This is because Egregor ransomware is known to use these types of files in its attacks. By reviewing these files, it is possible to detect and prevent an attack before it can cause significant damage.
Lastly, configure RDP by restricting access, using multi-factor authentication or strong passwords. This can help to prevent unauthorized access to a victim’s network, which can limit the spread of Egregor ransomware if it does manage to gain access.
Full report: https://www.sentinelone.com/labs/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
How to Detect Egregor Ransomware
The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Egregor.
In case you do not have SentinelOne deployed, detecting ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.
To detect this Egregor ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:
- Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
- Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
- Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
- Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
- Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.
How to Mitigate Egregor Ransomware
- The SentinelOne Singularity XDR Platform can return systems to their original state using either the Repair or Rollback feature.
- Public Decryption Tool(s)
If you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of Ryuk ransomware attacks.
1. Educate Employees
Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
2. Implement Strong Passwords
Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
3. Enable Multi-factor Authentication
Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
4. Update and Patch Systems
Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.
5. Implement Backup and Disaster Recovery
Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location.
The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.
Purpose Built to Prevent Tomorrow’s Threats. Today.
Your most sensitive data lives on the endpoint and in the cloud. Protect what matters most from cyberattacks. Fortify every edge of the network with realtime autonomous protection.
Get a DemoFrequently Asked Questions
Egregor ransomware is a malicious malware strain that encrypts data on compromised systems and extorts a payment in exchange for decryption. It employs double extortion methods, stealing confidential data before encryption and vowing to expose it if the payment is not made. Egregor has targeted entities in various sectors worldwide.
Egregor ransomware spreads via varied vectors, including phishing emails with malicious attachments, Remote Desktop Protocol (RDP) exploitation, and exploitation of compromised employee accounts. It employs tools like Cobalt Strike and Qakbot within a network to achieve privilege escalation and lateral movement.
Egregor mainly targets Windows operating systems; it exploits OS vulnerabilities to gain access and deploy its ransomware payloads.
Once it invades a system, Egregor encrypts files, appends them a random extension, and leaves a ransom note titled “RECOVER-FILES.txt” in breached directories. The note provides instructions on how to contact the attackers and demands payment of their ransom fees.
Egregor uses AES-256 encryption to lock files. It ensures that you can’t access your data without the decryption key provided by the attackers after the ransom payment is made.
Implementing best security practices can help combat Egregor ransomware attacks. You can keep systems updated and patched regularly, restrict access to RDP, maintain good password policies, and conduct regular security audits to find and remove vulnerabilities.
To protect against Egregor ransomware, you can use strong access controls. Do regular data backups, test them, and train your employees to recognize signs of phishing. Apply network segmentation and use only trusted security products like SentinelOne Singularity XDR to combat Egregor ransomware threats.
