It is known that the Egregor ransomware was detected for the first time in September 2020, in addition, it is estimated that based on the samples this malware has been located in Italy, France, Mexico, Germany, Japan, Saudi Arabia and the US This ransomware , believed to be a derivative of the Sekhmet ransomware; as, they have several similarities including API calls, functions, obfuscation techniques, and a similar ransom note. In addition, many of the Maze ransomware affiliates are presumed to be moving to become Egregor customers.
This ransomware implements anti-analysis techniques, such as code obfuscation and payload encryption. In one of its execution stages the payload can only be decrypted if the correct key is provided on the command line of the process. Egregor can receive additional parameters through the command line. Also, to the encrypted files add a string or random characters as the new extension, for example, to a file called “image.jpg” change it to “image.jpg.JhWeA”.
Egregor’s ransom note tells its victims that “soon the media, your partners and customers WILL KNOW about your PROBLEM … If you do not contact us in the next 3 DAYS, we will start publishing DATA.”
Egregor has no way to spread, so it requires attackers to move laterally themselves, using Windows tools and other exploitation tools. In some cases, Cobalt Strike exploitation tools have been detected as part of Egregor’s attacks. The attackers used these tools to run scripts, gather information about other systems on the network, extract additional credentials, and spread the ransomware.
To mitigate the possible impact of this ransomware, it is recommended to periodically back up information and keep backups with sensitive information without Internet access. It is also advisable to use a reliable security solution on each of the devices and keep it updated, avoid clicking on attachments that arrive in emails that we do not expect to receive, implement double authentication factor whenever possible, and connect to secure networks. avoiding mainly public Wi-Fi networks.
Check also:
Cyborg Ransomware distributed through Email
Vovalex – Ransomware posing as Windows utilities
