Egregor Ransomware: In-Depth Analysis, Detection, and Mitigation
What Is Egregor Ransomware?
Egregor ransomware is part of the Sekhmet malware family that has been active since mid-September 2020. The ransomware operates by hacking into organizations, stealing sensitive user documents, encrypting data, and demanding a ransom to exchange encrypted documents. The Egregor ransomware has been used in several attacks against large organizations, including the French media company Le Monde and the Canadian government.
What Does Egregor Ransomware Target?
Egregor ransomware targets organizations across all industries, with focus on healthcare, education, financial services, manufacturing and retail industries. Egregor is known to heavily target school districts and higher education institutions.
What Is Ransomware as a Service?
RaaS (Ransomware as a Service) is a business model in which cybercriminals offer a ransomware attack service to other individuals or groups. In this model, the RaaS provider typically develops and maintains the ransomware software and then rents or sells access to it to other individuals or groups who use it to launch attacks. In addition, the RaaS provider typically takes a percentage of the ransom payment as their fee for the service.
RaaS is often offered on the dark web, and it has become increasingly popular in recent years. With RaaS, even those with minimal technical skills can launch a ransomware attack, making it a low-barrier-to-entry method for cybercriminals to generate revenue. It has also become more sophisticated and professionalized, with RaaS providers offering customer support and marketing services to help their clients maximize their ransom payments. Some of these services, like DataKeeper and Ranion, have been available for years. The appeal of RaaS is that it requires almost no barrier to entry for cybercriminals, as it requires zero prior coding or development knowledge.
To conclude, RaaS offers instant results and is cheap to launch. Typically, these services require an “up front” payment or a share of the profits once the victims pay.
How Does Egregor Ransomware Work?
Egregor is primarily distributed using Cobalt Strike. It targets compromised environments, which can be accessed through methods like RDP exploit and phishing. Once the Cobalt Strike beacon payload is established and made persistent, it is used to deliver and launch Egregor payloads.
Egregor Ransomware Technical Details
Egregor ransomware is an evolution of the Sekhmet family, which includes Maze and Sekhmet ransomware. It has a similar configuration format and obfuscation style to Sekhmet, as well as an extra feature: executable payloads require a key for execution, which helps with anti-analysis. Additionally, Egregor operators may download, deploy and use tools such as mimikatz, PowerTool, and netscan. Egregor has been observed leveraging AES.ONE for component delivery as well.
When a system is infected with Egregor, it begins to encrypt files on the system with AES-256 encryption. It also appends the .Egregor extension to the encrypted files. The ransomware then drops a ransom note, which contains instructions on how to pay the ransom and decrypt the files.
Egregor also has a number of other malicious capabilities, including the ability to spread to other systems on the same network, steal credentials, and exfiltrate data. It can also delete backups, disable security software, and disable services.
To protect against Egregor Ransomware, it is important to prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108). This is because Egregor ransomware is known to exploit RDP vulnerabilities to gain initial access to a victim’s network.
Another important step is to review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools. This is because Egregor ransomware is known to use these types of files in its attacks. By reviewing these files, it is possible to detect and prevent an attack before it can cause significant damage.
Lastly, configure RDP by restricting access, using multi-factor authentication or strong passwords. This can help to prevent unauthorized access to a victim’s network, which can limit the spread of Egregor ransomware if it does manage to gain access.
Full report: https://www.sentinelone.com/labs/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
How to Detect Egregor Ransomware
The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Egregor.
In case you do not have SentinelOne deployed, detecting ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.
To detect this Egregor ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:
- Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
- Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
- Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
- Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
- Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.
How to Mitigate Egregor Ransomware
- The SentinelOne Singularity XDR Platform can return systems to their original state using either the Repair or Rollback feature.
- Public Decryption Tool(s)
If you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of Ryuk ransomware attacks.
1. Educate Employees
Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
2. Implement Strong Passwords
Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
3. Enable Multi-factor Authentication
Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
4. Update and Patch Systems
Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.
5. Implement Backup and Disaster Recovery
Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location.
The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.