FBI Issues Warning About Increasing Egregor Ransomware Activity

The Federal Bureau of Investigation (FBI) has issued a Private Industry Alert about the growing threat of Egregor ransomware attacks.

Egregor ransomware is a ransomware-as-a-service operation that was first identified in September 2020. The threat actors behind the operation recruit affiliates to distribute their ransomware and give them a cut of any ransoms they generate. The affiliates have been highly active over the past three months and have conducted attacks on many large enterprises. High-profile victims include Barnes & Noble, Ubisoft, Kmart, Crytek, and the Canadian transportation agency TransLink.

The threat group claims to have gained access to more than 150 corporate networks and deployed their ransomware, with the ransom demands exceeding $4 million. Many affiliates have been recruited by the Egregor ransomware gang and each has their preferred method of distributing the ransomware. With a wide range of tactics, techniques, and procedures used to deliver the ransomware, defending against attacks can be a challenge for network defenders.

Initial access to corporate networks is often gained through phishing attacks targeting corporate email accounts using attachments with malicious code that downloads the ransomware payload. Other tactics include brute force attacks on weak passwords and the exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs).

Once a network has been compromised, the attackers escalate privileges and move laterally within networks using tools such as Advanced IP Scanner, Cobalt Strike, AdFind, and malware such as QakBot. The network is explored to find sensitive data, which is exfiltrated using 7zip and Rclone, sometimes hiding the activity as a Service Host Process (svchost). The exfiltrated data is used to pressure victims into paying the ransom with the threat actors threatening to sell or publish the data if payment is not made.

The ransomware first appeared around the same time as the Maze ransomware operation shut down and any Maze ransomware affiliates switched to distributing Egregor ransomware. Several security researchers have suggested the Maze ransomware gang is running the Egregor ransomware operation due to the arrival of Egregor as the Maze operation shut down, similarities between the companies attacked and the ransom notes. The threat actors running the Egregor ransomware operation also appear to have considerable experienced running ransomware-as-a-service operations.

The FBI has advised against paying the ransom demands as there is no guarantee that valid keys will be supplied to unlock encrypted data and that stolen data may not be deleted even if the ransom is paid. Paying the ransom helps to fund future attacks and encourages the threat actors to continue.

Due to the diverse tactics, techniques, and procedures used to distribute the ransomware, network defenders need to harden security organization-wide. To ensure data can be recovered in the event of an attack, regular backups should be performed of critical data, and those backups should be stored offline, in the cloud or on an external hard drive that is not connected to the network. Backups should never be accessible from the network where the data resides.

Antivirus and antimalware solutions should be deployed and set to update automatically, email security gateways should be used to block phishing attacks, and multi-factor authentication should be implemented on corporate email accounts and remote access solutions. If multi-factor authentication cannot be implemented, it is essential to use strong passwords.

Secure networks should be used for remote access and public Wi-Fi networks should be avoided. Public-facing remote access solutions should be regularly updated and patches should be applied promptly. Several attacks saw networks compromised by exploiting vulnerabilities in RDP such as CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108. Patching these vulnerabilities should be prioritized. The FBI also recommends reviewing suspicious .bat and .dll files with recon data, such as .log files, and monitoring for the use of exfiltration tools.

Victims of Egregor ransomware attacks are being encouraged to report the attacks to their local FBI office or the FBI’s 24/7 CyberWatch. Victims should bear in mind that payment of a ransom potentially carries sanctions risks. Last year, the Office of Foreign Assets Control (OFAC) of the Treasury Department warned that paying a ransom could violate OFAC regulations if it involves a sanction nexus. OFAC should be contacted prior to victims paying any ransom payment in order to avoid future sanctions.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.