Egregor

1. Introduction

This module provides an overview of Egregor ransomware including how it spreads and the typical attacker TTPs of the groups behind the Ransomware

2. What is Egregor?

Egregor ransomware was initially discovered in September 2020, with a string of high-profile attacks being launched in the consecutive months after their formation. The malware has been considered to be part of the Sekhmet ransomware family as several code similarities have been detected between the two variants, along with their nearly identical ransom notes and encryption method.

Egregor ransomware is thought to be the direct descendant of Maze ransomware due to the timeline of Maze being retired and Egregor being created. Other similarities between the two include infrastructure and shared methodologies. It is likely that the consumer groups that once used Maze ransomware switched over to use Egregor.

Egregor is maintained by a cybercriminal group and is used by many consumer groups, known as affiliates. Like several other ransomware variants, Egregor ransomware follows the Ransomware-as-a-Service (RaaS) business model. RaaS subscription tools such as Egregor are usually purchased by malicious actors who don't have the expertise to code and architect ransomware tools and therefore spend their time identifying networks that they could exploit and spread the infection for monetary gain (or, ransom).

RaaS works on a subscription-based model and allows affiliate groups to purchase already created Egregor ransom tools to perform ransomware campaigns on their chosen organizations. The affiliate group then receives a percentage of the ransom that is ultimately paid by the victim organization.

Egregor ransomware employs a double extortion tactic by first exfiltrating stolen data onto their extortion website to apply pressure on the victim organization to pay up. Egregor affiliates are said to use a dedicated leak site called Egregor News to publish their victims' names and data. It appears that if the victim doesn't pay the demanded ransom within three days, the threat actor will leak more data onto the leak site until the victim pays. Secondly, after exfiltrating the data, files are encrypted so the threat actor can demand a larger ransom payment from the victim organization.

Egregor ransomware has been used in several high-profile attacks recently, including:

  • Barnes & Noble, a bookseller with the largest number of retail stores in the US, had to shut down their corporate network after a confirmed cybersecurity incident in October 2020 that caused a service outage and suspected data leak.

  • Metro Vancouver's transit agency TransLink confirmed that they had issues with payment services, phones, and online services after becoming victim to Egregor ransomware in December 2020. This variant of ransomware has an identifiable trait where it runs a script on the victim machines to print bomb the ransom note to any available printers on that host. It was said that ransom notes were rolling off the printers in TransLink as the cyberattack was taking place.

Egregor looks to have been brought down by law authorities after arrests were reportedly made by the French and Ukrainian authorities in July 2021, despite only being active since September 2020.

3. Typical Attack Vectors

An attack vector is a method that a threat actor could take to gain unauthorized access to an organization's network and spread an infection through the delivery of a malicious payload. Egregor can use many different techniques to infiltrate a network due to a wide range of affiliate groups taking advantage of the RaaS business model that the ransomware is built and serviced around.

The most popular attack vector used for gaining access to an environment with Egregor is phishing (T1566), that is, specially crafted emails that appear to be legitimate to the recipient but actually contain malicious attachments or a direct link to a legitimate website that has been compromised (and therefore has the potential to deliver ransomware to the victim receiving the email).

There have been many previous cyber attacks from Egregor where the confirmed patient zero was involved in a phishing email that contained a malicious macro within a Microsoft Word document. When the victim opens the document, the incorporated malicious macro downloads malware from an attacker-controlled domain and creates a connection between the domain and the attacker's machine. After the dropping of malware, the rest of the attack chain is kick-started.

The initial attack vector could also include exploiting public-facing systems that have RDP open or corporate VPNs. After this exploitation, threat actors have been known to leverage RDP capabilities to move laterally inside victim networks.

4. Attacker TTPs

Egregor using a RaaS business model means that a large number of affiliate groups are involved in deploying the ransomware. For this reason, the tactics, techniques, and procedures (TTPs) used in the deployment of Egregor ransomware can vary greatly. This can then create problems for the creation of defense and mitigation techniques.

To infiltrate a victims network, maintain persistence, and exfiltrate sensitive data, Egregor affiliates have been known to use the following techniques:

  • Whenever a victim's machine becomes infected with Egregor malware, the attacker establishes a connection between the compromised machine and a Command and Control (C2) server for various reasons such as issuing instructions, downloading additional malware, and channeling exfiltrated data to the affiliate group. Egregor affiliates have been seen to use Cobalt Strike as a Command and Control platform and to facilitate the beaconing from the infected machine to the attacker's C2 server. Cobalt Strike performs Time Based Evasion which involves enumerating computer properties, such as the system clock, to avoid detection of the tool.

  • If the victim has an Active Directory (AD), Egregor can attempt reconnaissance on the AD using a tool called AdFind for discovery. This is a command-line query tool that will identify the domain that the victim is linked to and attempts to enumerate domain groups.

  • As previously mentioned, a large delivery vector for Egregor ransomware is through phishing emails. Egregor affiliates have been seen to use Qakbot as a delivery agent of the ransomware through phishing emails. Then, it escalates privileges and can move laterally across a network.

Qakbot can also be used to carry out the following actions in a victim network:

  • Establish a foothold by:

    • Checking for installed software.

    • Identifying running processes and comparing them to their predefined denylist.

  • Inject into authorized and legitimate processes to avoid being detected.

  • Establish persistence by:

    • Making use of the Run key in the registry.

    • Moving laterally through the network.

    • Identifying network shares to gather data and identify systems that enhance and facilitate lateral movement.

5. Encryption Method

When the ransomware is dropped, the Egregor files are obfuscated until a specific command-line parameter is provided in order for the payload to properly execute and perform its malicious routines. This is a technique used by the attackers to avoid potential detection via sandbox analysis as well as to prevent security researchers from studying the malware. It uses the encryption cipher Salsa20 to encrypt and decrypt the files as required.

Egregor uses ChaCha20 and 2048-bit RSA for the encryption of victims' files. If the group is targeting many machines at once, the files on all of the machines will be encrypted simultaneously as the ransomware is dropped and executed.

During execution, Egregor ransomware will read each file that hasn't been added to an allowlist, encrypt the contents of the file using ChaCha20 encryption, and then write the result back to the original file to prevent file recovery from being performed. Each encrypted file is then renamed to include an appended file extension that varies from 4-5 characters in length. Egregor then stores the file path and file name of each encrypted file in a table and encrypts that file using a 2048-bit RSA encryption key.

RSA is a public-key encryption method, meaning it uses different (public and private) keys for the encryption and decryption process. It also means that you can't identify the decryption key if you only have the encryption key — therefore the encryption key can be publicized to the victim while the decryption key remains private and can only be found in the possession of the attacker.

After execution, Egregor drops a ransom note on the infected machine named RECOVER-FILES.txt. The note instructs the victim to download the Tor browser to navigate to a live chat on their dedicated leak site. Here, the victim can discuss the ransom payment and any other required actions with the threat actor(s). Egregor affiliates are known to only give the victim 72 hours to pay the requested ransom before starting to leak their data on their site, Egregor News.

In addition to the dropped ransom note, Egregor has also been known to continuously print ransom notes to any printers that are connected and available to the infected machine. This spreads the word of the cyberattack, thus, increasing the probability of the targeted organization paying the ransom as they would be unable to hide the fact that they had fallen victim to Egregor. The printed ransom note is a direct copy of the ransom note that is dropped onto the victim machine and contains all of the same information and details.

6. Security Questions

  1. Which trait could help identify that Egregor was responsible for a ransomware attack?

  2. When was Egregor ransomware first detected?

  3. What is the name of the ransomware variant that Egregor is said to be the descendant of?

  4. What ransomware family does Egregor belong to?

  5. Which Command and Control platform is regularly used during an Egregor ransomware attack?

  6. What tool is used to perform reconnaissance on the victims Active Directory?

  7. Which popular delivery agent has been seen to be involved in Egregor ransomware?

  8. What is the name of the ransom note file?

  9. What is Egregor's dedicated leak site called?

  10. After the files have been encrypted, the victim can identify the decryption key using only the encryption key. True or false?

  11. Which encryption method is used to encrypt files once Egregor ransomware is executed?

Answers

  1. Hard copies of the ransom note being printed by any available printers

  2. September 2020

  3. Maze

  4. Sekhmet

  5. Cobalt Strike

  6. AdFind

  7. Qakbot

  8. Recover-Files

  9. Egregor News

  10. False

  11. ChaCha20

PreviousHadesNextDoppelPaymer

Last updated