Egregor is a ransomware-as-a-service gang that has so far managed to claim at least 70 victims and extort tens of millions of dollars during a prolific yet short spell of operations. The Egregor ransomware strain first surfaced in September 2020, and most attacks occurred within a three-month period, ending in December 2020.

Egregor: Operations and Ransomware Analysis 

As with many ransomware gangs, double extortion is a feature of Egregor’s operations. Affiliates carry out attacks using Egregor’s ransomware, and the leaders of the operations receive a percentage commission from any successful attack that uses their ransomware strain. 

The actual ransomware strain appears to be a copy of the Sekhmet strain, which was previously used by the Maze cartel. Many industry commentators have noted that after Maze winded up its operations, several of the gang’s affiliates switched to Egregor. There’s a strong possibility that Egregor is a rebranding of Maze by some of the operation’s former leaders. 

Initial access stems from a variety of methods, including using stolen credentials, hacking remote access technology, and conducting spear-phishing campaigns with malicious attachments targeted at specific employees. Threat actors use the threat emulation toolkit Cobalt Strike to covertly discover information about their victim’s network and move laterally. 

The code itself uses obfuscation techniques to evade analysis and detection by security solutions. PowerShell scripts attempt to uninstall or disable popular endpoint security solutions. After exfiltrating data, the payload executes, and victims receive a ransom note demanding payment within a three-day window to avoid having their data leaked online. 

High-Profile Egregor Attacks 

Barnes and Noble, October 2020

Bookstore giant Barnes and Noble became one of Egregor’s most high-profile early victims in October 2020. A public statement by Barnes and Noble disclosed the fact that a cyber attack resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.

Acting from a position of caution, Barnes and Noble advised that some customers may have had their data compromised. The compromised data potentially included email addresses, shipping addresses, and telephone numbers. A post appeared on Egregor’s dark web leak site shortly after with apparent proof of stolen data.  

Crytek and Ubisoft, October 2020

In somewhat of a double-whammy attack, video game developers Crytek and Ubisoft were two unfortunate organizations counted among Egregor’s earliest victims. Two posts appeared on Egregor’s dark web leak site simultaneously with purported files and data exfiltrated from both companies’ IT systems. 

The Ubisoft leak contained source code from one of the company’s video games while the Crytek leak featured developmental resources for upcoming games. After being contacted by ZDNet, Egregor confirmed that they had only stolen data from Ubisoft; systems were left untouched and unencrypted by ransomware. Several of Crytek’s systems, however, were encrypted fully by Egregor threat actors. 

 Kmart, December 2020

Kmart is an American department store chain that has experienced troubling times in recent years. Despite respectable annual revenues of almost $10 billion in 2020, Kmart continues to feel the impact of customers favoring online shopping. In early December 2020, a ransomware attack impacted back-end IT services at the company. A human resources website owned by parent company Transformco went offline following the attack.

The Holiday season is a particularly important time of the year for retailers. Threat actors know that successful attacks on retailers’ IT systems conducted during the busiest time of the year have a higher likelihood of leading to payouts. Security researchers who saw the ransom note from this incident confirmed that the Egregor operation was behind the attack. Kmart never publicly commented on the ransomware incident, and it appears the damage was limited to encrypted back-end servers and workstations. 

Translink, December 2020

Translink operates the regional transportation network of Metro Vancouver. With over 6,900 employees, the statutory authority manages a range of critical modes of transit, including buses, SkyTrain, and commuter railway services. In another early December 2020 attack, the Translink incident affected phone services, online services, and payment systems. Customers temporarily couldn’t pay for transport services with credit or debits cards. 

The ransom note requested payment within three days if Translink wanted to avoid its data being published online. Egregor opted for an interesting method to deliver the ransom note to Translink; hijacking printers and repeatedly printing out the note. This tactic echoed an attack carried out by Egregor two months previously on Chilean retail giant Cencosud. 

Future of Egregor 

In what’s been a busy year busting ransomware gangs for Ukrainian law enforcement, a joint operation with French authorities resulted in the arrest of several individuals associated with the Egregor operation. The February 2021 swoop caught suspects who were Egregor affiliates carrying out hacks using the gang’s ransomware strain. 

At the time of the arrests, the dark web leak site operated by Egregor went offline. Whether this sudden departure represents the operation’s leaders becoming spooked or the Ukrainian law enforcement sting was more far-reaching than reported remains unknown. CSO reported that the leader of Egregor may have been arrested when the authorities closed in. 

There’s a chance that Egregor will re-emerge under a new name, and that this absence represents a hiatus. The other possibility is that Egregor has been shut down permanently. Only time will tell whether Egregor has any future or it’s been consigned to history. Organizations still need to remain cautious in preventing ransomware attacks because there are always new threat actors looking to get a slice of what is a very large pie. 

Blocking Spear Phishing

Like many ransomware gangs, Egregor has used phishing emails to gain initial access to networks. These emails have been highly targeted spear-phishing emails sent to specific individuals about whom the threat actors gleaned information on social media, company web pages, and other sources. Typically, these emails come with attachments containing malicious payloads that enable hackers to infiltrate a network. 

Successfully blocking phishing emails provides robust defense against today’s ransomware attacks. A dedicated email security platform with anti-phishing capabilities can prove a game-changer in becoming the next ransomware victim or keeping hackers at bay. 

To learn more about IRONSCALES’ award-winning anti-phishing solution, please sign up for a demo today at https://ironscales.com/get-a-demo/.