skout-blog

Cybersecurity Threat Advisory 0067-20: Egregor Ransomware

Advisory Overview

The Ransomware as a Service variant “Egregor” is spiking across the Cybersecurity and IT landscape after the shutdown of the notorious Maze ransomware campaign. Some major organizations have fallen victim to the malware including Kmart, Cencosud (a retail giant in South America), Randstad NV (the world’s largest staffing company and owner of Monster.com), and Translink (Vancouver’s Metro Transportation Agency). The ransomware has been seen hijacking printers and repeatedly printing the ransom note. In the case of retail organizations, the ransom note has been printing on consumer’s receipts at checkout. SKOUT recommends deploying advanced endpoint protection to block ransomware pre-execution.

Technical detail and additional information

What is the threat?

A new ransomware malware that appeared in September 2020 has taken large scale companies’ Randstad, Cencosud, Kmart, and Translink hostage. The Egregor ransomware recently infected the companies within the last month and are demanding payment for the data. Sources have confirmed that many threat actors have moved to Egregor as their malware of choice since the Maze ransomware operation has shut down and attacks have been on a steady rise.

Why is this noteworthy?

The Egregor ransomware was first seen in September of 2020, and since the initial sighting, the malware has confirmed to have successfully hit several well-known companies such as Crytek, Ubisoft, Barnes and Noble, in addition to Kmart, Cencosud, Randstad and Translink within the last month. Aside from the surge of infections, the Egregor ransomware variant takes a slightly more devious approach than other ransomware. In addition to stealing files, launching an encryption operation, and extorting the victim; the malware can flex its virtual muscles by ‘print bombing’ the ransom note through attached printers, providing further evidence that the systems are breached.

What is the exposure or risk?

A company’s exposure and risk of ransomware varies greatly on numerous variables; However, the overwhelming majority of ransomware attacks are initiated via phishing emails which contain a malicious payload typically in the form of Word, Excel, Google, or DocuSign documents. Continuously training employees how to recognize and report suspicious activities is key to protecting the company from a cyber-attack. Once the malicious attachment has been opened, a commodity malware tool such as Qbot, Ursnif, or IcedID is downloaded along with CobaltStrike, a popular reconnaissance and lateral movement tool. After CobaltStrike has been deployed, the threat actor can gain full access to the network within minutes

What are the recommendations?

Current recommendations to mitigate the impact of a potential ransomware attack are to:

  • Ensure endpoint protection software is up to date with the latest AI functionalities and malware signatures.
  • Backup your data on a consistent basis.
    • It is best practice to perform backup restorations in a test environment periodically to ensure the backup process is functional. Also, ensure the restoration process is solidified and documented in preparation of a real incident requiring restoration.
  • Ensure data is being stored and transferred securely, following security best practices.
    • Examples: Full disk encryption for data at rest, proper security measures for data in the cloud, and utilizing secure encryption protocols for data in transit.
  • Continuous training of employees to recognize and report phishing emails.
    • Employees are typically hesitant to report suspicious emails, especially ones they may have interacted with, in fear of being reprimanded or punished for being ‘the person who compromised the company’. It is imperative that employees understand that it is in their best interest to report the email and to air on the side of caution.

References:

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.