The FBI warns the Egregor ransomware, offered under a Ransomware-as-a-Service (RaaS) business model, poses a great threat to businesses due to the use of double extortion. Egregor has claimed more than 150 victims to date, all around the world. Following network compromise, Egregor’s operators don’t just encrypt victims’ files, but also exfiltrate data, threatening to publish it online unless a ransom is paid. Egregor is deployed by multiple individuals, meaning that tactics, techniques, and procedures (TTPs) used in attacks are varied and that defending against these attacks is challenging.
Cybercriminals were observed targeting business networks as well as employee personal accounts. Phishing emails carrying malicious attachments may be used, but Egregor would also exploit Remote Desktop Protocol (RDP) or Virtual Private Networks (VPNs) for initial access. The threat actors behind Egregor may also leverage its RDP exploitation capability to move laterally inside the compromised networks. Following initial access, pen testing and exploit tools are employed for privilege escalation and lateral movement. Some of these include Advanced IP Scanner, AdFind, Cobalt Strike, and Qakbot/Qbot. Utilities such as Rclone and 7zip are abused for data exfiltration.
What to do?
- Ensure backups are performed religiously on a routine basis.
- Store backups off-site in a secure location or in the cloud.
- Ensure all security tools are up to date and actively employed
- Enable two-factor authentication.
- Prioritize software patch installation.
- Promptly review suspicious files and activity
What can you do to when this happens to you?
- The FBI recommends ransomware victims should not pay the ransom, as this encourages adversaries to target additional organizations and may attract more wannabe criminals to ransomware distribution.
- Ransomware victims are encouraged to report the incidents, so that the FBI can gather data to prevent further attacks.
- If you are contacted by a ransomware criminal, immediately shut down the network and identify the breach
- Notify your local law enforcement cyber crimes division and the FBI.
- Identify any data corruption and/or exfiltration.
- Identify the malware and attempt to find the ransom software key.
- If unable to reinstate the network using the key use a known clean backup to continue work.
Ionut Arghire on January 08, 2021Security Week