The Federal Bureau of Investigation (FBI) has issued a warning to private sector companies about ongoing Egregor ransomware attacks. Since September 2020, when the ransomware variant was first identified, it has been used in attacks on at least 150 companies worldwide.
Egregor is a ransomware-as-a-service offering with many affiliates used to distribute the ransomware. Many of the affiliates moved to Egregor distribution when the Maze ransomware operation was shut down in late 2020. Affiliates receive a 70% cut of any ransom payments they generate, with 30% retained by the Egregor gang. The ransomware operation supports data exfiltration prior to file encryption, which is used as an extra incentive to get victims to pay up.
The tactics, techniques, and procedures (TTPs) used to deploy the ransomware are varied, with different affiliates favoring different methods of distribution. Vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs) are exploited to gain access to networks and the use of phishing emails with malicious attachments is also common.
Once access to networks is gained, a variety of tools are used for privilege escalation and lateral movement, including Cobalt Strike, Qakbot, Advanced IP Scanner, and AdFind. Data exfiltration methods differ, but 7zip and Rclone are commonly used, often hidden as Service Host (svchost) Processes. Once data has been exfiltrated from systems, the ransomware encryption process is launched.
Egregor ransomware has been used in attacks on a wide range of companies in many different industry sectors, including several large enterprises. Notable victims include Randstad, one of the largest head-hunting agencies in the world, the game developer Ubisoft, Kmart, Barnes and Noble, and TransLink, the transportation agency in metropolitan Vancouver.
The FBI does not recommend paying the ransom demand if infected as there is no guarantee that encrypted data will be restored. While the attackers claim they will permanently delete stolen data if the ransom is paid, there is similarly no guarantee that will happen. Payment of the ransom only encourages further attacks.
The FBI has provided several recommendations to prevent Egregor ransomware attacks and ensure recovery is possible without paying the ransom. To ensure data recovery is possible, regularly backup critical data and store backups in the cloud or on an external hard drive that has been disconnected from the network. Backups should not be accessible from the system where the data resides.
Anti-phishing, anti-virus, and anti-malware software should be used and patches should be applied promptly, especially on public-facing remote access products and applications. RDP should be securely configured with access restricted and multi-factor authentication implemented. If MFA is not possible, strong passwords should be used.
2-factor authentication should be set up on all email accounts and training should be provided to employees to help them identify phishing emails and condition them not to open attachments or click links in unsolicited emails.