According to a recent security alert released by the Federal Bureau of Investigation (FBI) warning private sectors, since its first appearance in September 2020, Egregor ransomware has now compromised more than 150 victims.
By using several mechanisms such as compromising business networks and personal accounts of employees sharing access with business networks or devices, Egregor ransomware targets organizations.
- The enterprise, manufacturing, education, transport, and retail remain to be the most targeted sectors by this ransomware. While the affected regions include, South and North Americas and Western Europe.
- The Egregor operators have been using email phishing as their initial method of infection. Some of the attack vectors used by Egregor to gain access into the victim’s network include phishing emails laden with attachments and exposed RDP or VPNs.
- Additionally, for lateral network movement and privilege escalation, the ransomware also used a post-exploitation tool such as Cobalt Strike, Qakbot/Qbot malware, Advanced IP Scanner, along with AdFind.
Egregor has worked with former Maze affiliates to hack networks and deploy ransomware payloads while operating as a Raas (Ransomware-as-a-Service). Ransomware payment earnings are shared with its operators in a 70/30 split by the Egregor group.
Attacks in recent times –
- SystemBC was used in combination with post-exploitation tools in several Ryuk and Egregor attacks in the recent few months.
- Several organizations including Randstad NV, TransLink, Kmart, Spring Independent School District, and Cencosud have been targeted by the Egregor group.
In the wake of the recent wave of ransomware attacks, offline backup of critical data should be taken by the security team, install and regularly update anti-virus or anti-malware software on all hosts, configure RDP by restricting access and use two-factor authentication.
To read more, please check eScan Blog
