Pierluigi Paganini January 07, 2021

The US Federal Bureau of Investigation (FBI) issued a security alert warning private sector companies of Egregor ransomware attacks.

The US FBI has issued a Private Industry Notification (PIN) to warn private organizations of Egregor ransomware attacks.

The Egregor ransomware first appeared on the threat landscape in September 2020, since then the gang claimed to have compromised over 150 organizations.

The list of known victims includes Barnes and Noble, Cencosud, Crytek, Kmart, Ubisoft, and Metro Vancouver’s transportation agency TransLink.

Egregor is known to target printers of the compromised organizations, instituting them to print the ransom note.

The gang Egregor often exfiltrate files from the target network and if the victim refuses to pay, the operators publish victim data to a leak site.

“The FBI assesses Egregor ransomware is operating as a Ransomware as a Service Model. In this model, multiple different individuals play a part in conducting a single intrusion and ransomware event. Because of the large number of actors involved in deploying Egregor, the tactics, techniques, and procedures (TTPs) used in its deployment can vary widely, creating significant challenges for defense and mitigation.” reads the alert. “Egregor ransomware utilizes multiple mechanisms to compromise business networks, including targeting business network and employee personal accounts that share access with business networks or devices.”

Threat actors use phishing emails with malicious attachments as attack vector, they also exploit insecure Remote Desktop Protocol(RDP) or Virtual Private Networks to gain access to the networks.

Once gained access to the target network, the threat actors attempt to escalate privileges and make lateral movements using Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind.

Feds also added that the ransomware operators leverages tools like Rclone (sometimes renamed or hidden as svchost) and 7zip for data exfiltration.

FBI discourages victims to pay the ransom and urge them to report incidents to local FBI offices.

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities.” concludes the alert.”Paying the ransom also does not guarantee that a victim’s files will be recovered.”

Below the list of mitigations provided by the FBI to defend against Egregor’s attacks:

• Recommended Mitigations;
• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
• Install and regularly update anti-virus or anti-malware software on all hosts.
• Only use secure networks and avoid using public Wi-Fi networks.
• Use two-factor authentication and do not click on unsolicited attachments or links in emails.
• Prioritize patching of public-facing remote access products and applications, including recent RDP vulnerabilities (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE-2019- 1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108).
• Review suspicious .bat and .dll files, files with recon data (such as .log files), and exfiltration tools.
• Securely configure RDP by restricting access, using multi-factor authentication or strong passwords.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Egregor ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]