Last Updated on 04/12/2020 by Hrithik V
Security experts are warning that a new ransomware group is rapidly escalating threat activity, with double extortion attacks on scores of victims so far in Q4.
First observed on September 25th, 2020, the Egregor ransomware variant has been making considerable strides in Maze’s wake, another ransomware threat actor that ceased operations in October of 2020.
The Egregor group initial came to gentle with an attack on Barnes & Noble and video sport developers Ubisoft and Crytek back again in October, according to Digital Shadows.
In point, the group has been energetic because of September, when it compromised 15 victims. Then arrived a huge 240% spike in numbers, with 51 companies hit the subsequent thirty day period. As of November 17, it had included a more 21 victims.
Since the Egregor ransomware group has only been active as of September 25th, there is limited information about their common tactics, techniques, and procedures (TTP’s).
According to the security vendor, most of Egregor victims are from the industrial equipment and company sector (38%), and the majority (83%) depend on the United States.
The malware alone has been made with many anti-investigation steps constructed in, such as code obfuscation and packed payloads, Electronic Shadows claimed.
“More exclusively, Windows application programming interfaces (APIs) are leveraged to encrypt payload knowledge. Unless of course security teams can present the accurate command-line argument, then the facts cannot be decrypted, and the malware can’t be analyzed,” it claims
“When the accurate command-line argument is introduced, the malware executes by injecting into iexplore.exe method, encrypting all textual content information and paperwork, and enclosing a ransom observe inside each and every folder that has an encrypted file. This system includes data files on remote equipment and servers by checks on LogMeIn celebration logs.” further mentions
Like quite a few groups running right now, the actors behind Egregor preserve a dark web site on which they article facts stolen from victims in a bid to force a ransom payment. In this respect, it has followed the direction of the infamous Maze group, which ceased functions in Oct.
For case in point, it posted 200MB of information on in-recreation belongings from Ubisoft and claimed to have resource code from an unreleased title, Watchdogs: Legion. In the circumstance of Crytek, 400MB of data was confirmed stolen related to titles Warface and Arena of Fate, Digital Shadows famous.