A freshly discovered family of ransomware called Egregor has been spotted in the wild, using a tactic of siphoning off corporate information and threatening a “mass-media” release of it before encrypting all files.
Egregor is an occult term meant to signify the collective energy or force of a group of individuals, especially when the individuals are united toward a common purpose — apropos for a ransomware gang. According to an analysis from Appgate, the code seems to be a spinoff of the Sekhmet ransomware (itself named for the Egyptian goddess of healing) – a link that was also noted by other researchers..
“We found similarities in both Sekhmet and Egregor ransomware, such as obfuscation techniques, functions, API calls and strings, such as %Greetings2target% and %sekhmet_data% changing to %egregor_data%,” Gustavo Palazolo, security researcher at Appgate, told Threatpost. “Furthermore, the ransom note is also fairly similar.”
As far as other technical details, “The sample we analyzed has many anti-analysis techniques in place, such as code obfuscation and packed payloads,” according to the firm’s research, announced Friday. “Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided.”
Further, “we have found that Egregor can receive additional parameters via command line, such as ‘nomimikatz,’ ‘killrdp,’ ‘norename,’ among others,” Palazolo said. “At the moment, our team is still revers- engineering the malware to get the whole picture. Furthermore, we will continue to monitor any possible variant emerging from this family.”
Overall, he said, it has the same sophistication level as other ransomware families, however Egregor implements a high number of anti-analysis techniques, such as code obfuscation and payload encryption.
While Appgate researchers don’t know how long Egregor has been circulating, its first public appearance of Egregor was September 18 on Twitter, after it was spotted by @demonslay335 and @PolarToffee
🚨Breaking: new #Sekhmet #Ransomware (spin-off?) calling itself #Egregor. Extension random but has an XOR'd filemarker. Note still "RECOVER-FILES.txt" (https://t.co/hgsvJaoCr1) with a new site. pic.twitter.com/4Q3kdOapK7
— Michael Gillespie (@demonslay335) September 18, 2020
Appgate researchers also found that the ransom note demands payment within three days – otherwise, the sensitive data will be leaked. In a twist from the usual double-extortion tactics used by ransomware families like NetWalker, the Egregor operators threaten to distribute stolen via “mass media,” so that a victim company’s partners and clients will know that the company was attacked.
This part of the ransom note, shared with Threatpost, reads: “What does it mean? It means that soon mass media, your partners and clients WILL KNOW about your PROBLEM.”
So far though, no mass-media events have occurred. “The only evidence we have is the deep web site in which they are publishing details about attacked companies, we have not identified any other news or information on data being released to any media organizations,” Palazolo said.
And indeed, the analysis uncovered a self-billed “Egregor news” website, hosted on the deep web, which the criminal group uses to leak stolen data.
“At the time of this advisory, there are at least 13 different companies listed in their ‘hall of shame,’ including the global logistics company GEFCO, which suffered a cyberattack last week,” according to the firm.
The Egregor ransom note also says that aside from decrypting all the files in the event the company pays the ransom, the operators will provide recommendations for securing the company’s network, “helping” them to avoid being breached again, “acting as some sort of black-hat pen-test team,” according to the Appgate research.
The note reads: “(In case the payment is done) … You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter.”
“The ‘security recommendations’ caught our attention since it’s something unusual for a criminal group, they are trying to play good guys by suggesting they would try to help secure your network,” Palazolo said.
There’s no word yet on the initial infection vector for the malware, but ransomware seems to be equal-opportunity in terms of its targets, with samples affecting corporations in France, Germany, Italy, Japan, Mexico, Saudi Arabia and the US, according to the researcher.
As for the size of the ransom, the crimeware operators make victims jump through hoops.
“Unfortunately, there are no details on [the ransom payment amount] in the ransom note or on the Egregor website,” the researcher told Threatpost. “To get payment details, the victim needs to navigate to the deep web link Egregor provided and get instructions from the attacker through a live chat, which we have not performed.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.