The US Federal Bureau of Investigation (FBI) has sent a security alert advising private sector companies that the Egregor ransomware operation is actively targeting and extorting companies worldwide.
The FBI says in a shared TLP: WHITE Private Industry Notification (PIN) on Wednesday that Egregor claims to have reached and committed more than 150 victims since the agency first observed this malicious activity in September 2020.
“Because of the large number of actors involved in the implementation of Egregor, the tactics, techniques and procedures (TTPs) used in its implementation can vary widely, creating significant challenges for defense and mitigation,” says the intelligence and security service of USA.
“The Egregor ransomware uses several mechanisms to compromise business networks, including targeting the business network and personal accounts of employees who share access with corporate networks or devices.”
Phishing emails with malicious attachments and insecure remote desktop protocol (RDP) or virtual private networks are some of the attack vectors used by Egregor actors to gain access and move sideways on their victims’ networks.
Egregor uses Cobalt Strike, Qakbot / Qbot, Advanced IP Scanner and AdFind for privilege escalation and lateral network movement.
Affiliates are also using 7zip and Rclone, sometimes camouflaged as a Service Host Process (svchost) process, for data exfiltration before deploying ransomware payloads to victims’ networks.
The FBI also shared a list of recommended mitigation measures that should help defend against Egregor’s attacks:
- Back up critical data offline.
- Make sure that copies of critical data are in the cloud or on an external hard drive or storage device.
- Protect your backups and make sure that the data is not accessible for modification or deletion of the system where the data resides.
- Install and regularly update antivirus or antimalware software on all hosts.
- Use only secure networks and avoid using public Wi-Fi networks.
- Use two-factor authentication and don’t click on unsolicited attachments or links in emails.
- Prioritize the remediation of publicly accessible remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE -2019 -1224, CVE-2019-1108).
- Review the suspicious .bat and .dll files, files with recognition data (such as .log files) and exfiltration tools.
- Configure RDP securely, restricting access, using multi-factor authentication or strong passwords.
RaaS operation with former Maze affiliates as partners
Egregor is a Ransomware as a service operation that partners with affiliates that break into networks to deploy payloads of ransomware, distributing the ransom payment earnings with Egregor operators using a 70/30 division.
After infiltrating victims’ networks, they also steal files before encrypting the devices and use them as a lever under the threat of publicly leaking stolen data if the ransom is not paid.
Egregor started operating after Maze ended its operation, with many of Maze’s affiliates immediately switching to Egregor’s RaaS while BleepingComputer was informed by threat actors.
Since September, Egregor affiliates have breached and encrypted the systems of several high-profile organizations, including, but not limited to, Ubisoft, Kmart, Randstad, Barnes and Noble, Cencosud, Crytek and Metro Vancouver’s TransLink shipping agency.
Don’t pay ransoms, report ransomware attacks
Victims are also advised not to pay ransoms, as this does not guarantee the successful restoration of encrypted data and also funds their future operations and encourages them to continue their attacks.
The agency asks victims to report any ransomware incidents in which they are involved to help investigators track down the threat actors behind them and to prevent future attacks.
The FBI asked companies and individuals affected by ransomware to report any infections for a while, so that it could have a better understanding of the threat and the legal reasons for prosecuting ransomware gangs and their operators.
The OFAC (Treasury Department’s Office of Foreign Assets Control) said last year that organizations that help ransomware victims make ransom payments also face the risk of sanctions as their actions may violate OFAC regulations.
Victims were urged to contact OFAC immediately if and when they believe that a request for payment of ransomware may involve a sanction nexus to avoid potential sanction risks themselves.