Security experts warn that a new ransomware group is rapidly escalating its threatening activity, carrying out dual attacks extortion in numerous victims from all over the world. This is the Egregor ransomware gang that became famous after it attacked Barnes & Noble and game developers Ubisoft and Crytek in October, as reported by Digital Shadows. The Egregor gang is estimated to be the "successor" of the Maze ransomware gang.
However, the group has been active in the threat landscape since September, when it carried out attacks targeting 15 different victims. Then came a 240% increase, with more than 50 organizations being added to its list of victims. It is worth noting that since November 17, 21 more victims have been added.
According to Digital Shadows, victims of Egregor ransomware include organizations active in the industrial goods and services sector (38%), with the majority of them (83%) being in USA.
In addition, the specific malware has been designed with multiple build-in measures against resolution, such as concealment code and packed payloads. More specifically, Digital Shadows pointed out that their application programming interfaces Windows (API) are used to encrypt payloads date. If the security teams can not present the correct command line argument, then the data can not be decrypted and the malware can not be parsed.
The company added that when the correct command line argument is presented, the malware is executed by entering the procedure iexplore.exe, encrypting all text files and documents, and attaching a ransom note to any folder that has an encrypted file. This process includes archives on remote computers and servers through checks on LogMeIn event logs.
The hackers of Egregor ransomware, like other gangs, maintain a dark site where they publish the data they steal from their respective victims, so that the latter are forced to pay ransom. According to Infosecurity Magazine, the Egregor gang seems to be following in the footsteps of the Maze ransomware gang, which ceased operations in October.
For example, it released 200MB of Ubisoft gaming data, claiming it owned the source code for the unreleased Watchdogs: Legion game. At the same time, 400MB of data on Crytek Warface and Arena of Fate games were stolen.