What is Egregor Ransomware? One of the Worst Threats of 2020

The Ultimate Ransomware Defense Guide

Download this guide for tips on defending against ransomware attacks.

Download Now

Since stepping into the cybercriminal arena in cyberSeptember 2020, the Egregor group has penetrated over 71 businesses globally, including recruitment giant Randstad and US retailer Kmart.

But who is the Egregor group and how have they managed to rise up as a significant cyber threat in just a few short months?

Who is Egregor?

Egregor is a cybercriminal group specializing in a unique branch of ransomware attacks. Egregor is a term in Western Magic referring to the collective energy of a group of people united with a common purpose.

it is speculated that the ransomware operators of notorious cybercrime group Maze, formed Egregor after shutting down their operations in October 2020.

Maze's ransomware attack efforts were far-reaching, providing the newly formed Egregor group a prominent platform to springboard from.

maze ransomware prevalence
Global reach of Maze ransomware infections - source: mcafee.com

Egregor earned its destructive reputation after the group successfully breached the Barnes & Noble and video game developers Crytek and Ubisoft in October 2020.

In the Barnes & Noble cyberattack, Egregor claimed to have accessed financial and audit information. In an internal email to its customers, Barnes & Noble stated that customer financial data was not stolen. The attack also caused temporary outages to Barnes & Noble's Nook e-readers.

In the Crytek and Ubisoft cyberattacks, the ransomware gang claimed to have exfiltrated the source codes for upcoming releases including Watchdogs: Legion and Arena of Fate. Egregor published a subset of the stolen data on their website on the dark web but the legitimacy of the source code breach was inconclusive.

Egregor is one of many cyber threats that have taken advantage of the sudden mass dependency on digital infrastructures brought about by the pandemic. Some of these threats are even specifically targeting the healthcare sector, which could have devastating consequences for Covid-19 patients.

Egregor operates on a ransomware as a service model.

What is Ransomware as a Service (Raas)?

Ransomware as a Service (RaaS) is an adoption of the Software as a Service model (SaaS). model. Criminal affiliates subscribe to the ransomware software empowering even the most novel hackers to launch devastating and highly-complex ransomware attacks.

Because ransomware affiliates are paid prodigious dividends for each successful cyberattack, they are motivated to spread the malicious software, rapidly scaling the ransomware operation over a short period of time. Egregor's swift global expansion is evidence of this successful growth strategy.

What is Egregor Ransomware?

Egregor ransomware is a form of malware that's a modification of both Sekhmet ransomware and Maze ransomware.  There are code similarities across all three ransomware variants, they also all seem to target the same victim demographic.

egregor global prevalence
Egregor ransomware victim demographic and targeted industries - Source: bleepingcomputer.com

Egregor ransomware attacks are characterized by their brutal, yet highly effective double-extortion tactics. The cybercrime group breaches sensitive data, encrypting it so that it cannot be accessed by the victim. They then publish a subset of the compromised data on the dark web as proof of the successful exfiltration.

The victim is then instructed in a ransom note to pay a set price within 3 days to prevent further personal data from being published on the criminal infested network. If the ransom price is paid before the ultimatum, full decryption of the seized data takes place.

egregor ransom note
Egregor ransom note - source: bleepingcomputer.com

How Does Egregor Ransomware Work?

Egregor ransomware, like all ransomware, is injected into a victim via a loader. This loader and the subsequently installed ransomware undergoes extensive code obfuscation to mitigate static analysis and the possibility of decryption. The Egregor payload can only be analyzed by entering the same command line used to run the payload.

After a successful breach, the Egregor ransomware manipulates the victim's firewall settings to enable Remote Desktop Protocol (RDP). The software meticulously moves throughout the victim's network, clandestinely identifying and disabling all anti-virus software.

With all defenses disarmed, the Egregor ransomware encrypts all of the breached data and inserts a ransom note titled "RECOVER-FILES.txt" into all compromised folders.

Victims are instructed to download a dark web browser to communicate with the threat actors via a dedicated landing page on the dark web.

egregor landing page dark web
Egregor victim communication landing page on the dark web

Egregor Ransomware Threat Mitigation

Because Egregor ransomware is a novel threat, cybersecurity experts are still in the process of understanding exactly how the threat operates. The following mitigation suggestions have been garnished from the analysis of security teams to date.

  • Monitor for Qakbot, Ursnif, and IceID malware infections

    Commodity malware such as Qakbot, Ursnif, and IceID have been observed to inject Egregor ransomware as a secondary payload.  If you identify these threats internally, or within your vendor network, immediate remediation is critical.
  • Educate all staff on the signs of phishing attacks.

    Phishing attacks are a common attack vector for injecting ransomware. They could create a gateway for Egregor ransomware, or any of its sister payloads - QakBot, Uesnif, and IceID malware.

    You should ensure your staff is aware of all the signs of a phishing attack and a clickjacking attack.

  • Set all anti-virus profiles to block all decoders, besides POP3 and IMAP.
  • Disable all remote access capabilities
  • Continuously monitor your security posture to strengthen all vulnerabilities.
  • Append an anti-virus profile to all security policies
  • Implement zone protection policies for all zones
  • Implement information security policies to all traffic from untrusted sources.
  • All security policies permitting traffic that contain "Service setting of ANY" should be removed

Is your business at risk of an Egregor ransomware attack?

Egregor is still just a new player in the cybercrime arena. Their initial attacks are already devastating and with such a sophisticated group of threat actors running the dark operation, the worst is still yet to come.

At UpGuard we can help you strengthen your security posture to effectively defend against ransomware attacks. Our patented cybersecurity technology also continuously monitors for vulnerabilities in your entire vendor network to prevent cyberattacks from compromised third parties.

Continue Learning about Cyber Threats

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?