Egregor ransomware operators are following the new trend in ransomware attacks and threaten to leak data of their victims if they do not pay them ransom within three days. This trend was started by Maze hackers and was followed by many other groups.
The criminals behind Egregor ransomware have created a "news" site on darknet and offer a list of victims, as well as updates on when the stolen data will be leaked.
In the ransom note, it is said that if the victim pays, the hackers will give the decryption key and offer some tips security to protect the company from future attacks. According to the researchers, in this way, the attackers function to some extent as a "black hat pentest team".
At this time, we do not know how much money the Egregor ransomware hackers are asking for or whether the victims' data has already been leaked. A copy of a note shows that the criminals intend to leak the stolen data through the "media".
Egregor ransomware was first detected in mid-September by several researchers security, such as Michael Gillespie, who posted a sample of the hackers' note on Twitter.
Appgate researchers analyzed ransomware last week and do not know many details about when the attacks started. However, Egregor's first Twitter appearance was on September 18, by @ demonslay335 and @PolarToffee.
According to Appgate, Egregor ransomware appears to come from another ransomware called Sekhmet, which also exposes data of the victims.
During Egregor's analysis, the researchers found that ransomware uses techniques to avoid detection (code obfuscation, packed payloads) from products security.
Appgate analysts also noted that without the right decryption key, it is difficult to analyze the full ransomware payload, to reveal details about how it works.