Egregor Ransomware Adds to Data Leak TrendResearchers Note Similarities to Sekhmet Crypto-Locking Malware
Security researchers at Appgate are warning about a recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months, according to an alert issued Friday.
As with other ransomware gangs, such as Maze and Sodinokibi, the operators behind the Egregor ransomware are threatening to leak victims' data if the ransom demands are not met within three days, according to an Appgate alert.
The cybercriminals linked to Egregor are also taking a page from the Maze playbook, creating a "news" site on the darknet that offers a list of victims that have been targeted and updates about when stolen and encrypted data will be released, according to the alert (see: Maze Ransomware Gang Continues Data-Leaking Spree).
"Egregors' ransom note also says that aside from decrypting all the files in the event the company pays the ransom, they will also provide recommendations for securing the company's network, 'helping' them to avoid being breached again, acting as some sort of "black hat pentest team," according to Appgate.
It's not clear how much ransom the operators behind Egregor are demanding or if any data has been leaked, according to Appgate. A copy of one ransom note posted online notes the cybercriminals plan to release stolen data through what they call "mass media."
While Appgate released an alert to customers on Friday, the Egregor ransomware variant was first spotted in mid-September by several independent security researchers, including Michael Gillespie, who posted samples of the ransom note on Twitter.
Breaking: new #Sekhmet #Ransomware (spin-off?) calling itself #Egregor. Extension random but has an XOR'd filemarker. Note still "RECOVER-FILES.txt" (https://t.co/hgsvJaoCr1) with a new site. pic.twitter.com/4Q3kdOapK7— Michael Gillespie (@demonslay335) September 18, 2020
"The first time Egregor was analyzed by our team was earlier this week. We don't have specifics about how long it's operating, but seems that the first public appearance of Egregor was September 18 on Twitter by @demonslay335 and @PolarToffee," Gustavo Palazolo, a security researcher with Appgate, tells Information Security Media Group. "At this time, there are still only 13 companies in the 'hall of shame.'"
The Appegate alert notes that the Egregor variant appears to be a spinoff of another ransomware strain called Sekhmet, which has also been linked to criminal gangs threatening to release encrypted and stolen data if victims don't pay (see: More Ransomware Gangs Threaten Victims With Data Leaking).
The Appgate analysts noted that the Appgate ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code "unpacks" itself in memory as a way to avoid detection by security tools. Without the right decryptor key, it's difficult to analyze the full ransomware payload to learn additional details about how the malware works, the analysts say.
"The Egregor payload can only be decrypted if the correct key is provided in the process' command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn't provided," according to the alert.
Palazolo notes that the use of the decryptor key makes a deeper analysis more difficult at this time. "This means that if the analyst or researcher only have access to the packed file, without knowing how it was launched in the affected environment, Egregor's payload cannot be decrypted, hence executed," he says.
The Egregor ransom note is vague and offers few clues about how the malware works and how the operators behind it will decrypt files once the ransom is paid, Palazolo says.
"Unfortunately, there are no details on the ransom note or on the Egregor website," Palazolo says. "To get payment details, the victim needs to navigate to the deep web link Egregor provided and get instructions from the attacker through a live chat, which we have not performed."
Data Leak Threats
While it's not clear whether any data related to Egregor ransomware attacks has been leaked, security experts note that more cybercriminal gangs are using this technique to force victims to pay or as a warning to others.
Speaking at ISMG's Virtual Cybersecurity Summit: New York in August, attorney Craig Hoffman, who's co-leader for the digital risk advisory and cybersecurity team at BakerHostetler, said that in at least 25% of the ransomware cases his firm has helped investigate, attackers claimed to have not just crypto-locked systems but also to have exfiltrated data (see: Ransomware Gangs' Ruthlessness Leads to Bigger Profits).
In August, incident response firm Coveware released a report finding that of the thousands of ransomware cases the firm investigated in the second quarter of this year, 30% involved attackers threatening to release stolen data.