The US FBI has issued a Private Industry Notification (PIN) to warn private organizations of Egregor ransomware attacks.
The Egregor ransomware first appeared on the threat landscape in September 2020, since then the gang claimed to have compromised over 150 organizations.
The list of known victims includes Barnes and Noble, Cencosud, Crytek, Kmart, Ubisoft, and Metro Vancouver’s transportation agency TransLink.
Egregor is known to target printers of the compromised organizations, instituting them to print the ransom note.
The gang Egregor often exfiltrate files from the target network and if the victim refuses to pay, the operators publish victim data to a leak site.
“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” reads the alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.”
Threat actors use phishing emails with malicious attachments as attack vector, they also exploit insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to gain access to the networks.
Once gained access to the target network, the threat actors attempt to escalate privileges and make lateral movements using Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind.
Feds also added that the ransomware operators leverages tools like Rclone (sometimes renamed or hidden as svchost) and 7zip for data exfiltration.
FBI discourages victims to pay the ransom and urge them to report incidents to local FBI offices.
“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities.” concludes the alert.”Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Below the list of mitigations provided by the FBI to defend against Egregor’s attacks:
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Egregor ransomware)