The group's "double ransom" strategy behind the Egregor ransomware challenges corporate defense. Back on a very real threat and on avenues of reflection to protect oneself from it.
Specialized in ransomware attacks, the Egregor group is currently one of the fastest growing. According to Recorded Future's Insikt Group, its name, borrowed from the occult world, refers to "the collective energy of a group of people, especially when they have a common goal. ”Even though the deions of malware
However, it seems that the members of the Maze group have joined Egregor without hesitation. Unit 42, the security team of Palo Alto Networks and Insikt, believes Egregor is associated with basic malware like Qakbot, which rose to prominence in 2007, which uses a sophisticated and evasive worm to steal financial information, but also from other malware available on the market like IcedID and Ursnif. This malware helps attackers gain initial access to victims' systems. All security researchers seem to agree with Cybereason's Nocturnus team that Egregor poses a high severity threat and is growing rapidly.demented. According to Shadows, the gang has claimed at least 71 victims in 19 different areas around the world.
Double extortion expert
Like most variants of ransomware actively exploited today, Egregor uses "double extortion", to pressure the victims and force them to pay the ransom, he threatens them, either to make public the ransom demand on a "Wall of Shame ”or to publish the stolen data on the Internet. Some of Egregor's best-known victims include Kmart, the Vancouver Metro, Barnes and Noble, video game developers Ubisoft and Crytek , and the Dutch human resources company Randstad , and more recently the town hall ofla Rochelle , part of the stolen data of which has been published on the web.
Like many web cybercriminals, Egregor's attackers also targeted healthcare establishments and hospitals, identified as easy prey, during the coronavirus crisis. This is the case of the American healthcare provider based in Maryland, GBMC Healthcare, affected in early December 2020, which had to suspend some of its activities due to an attack by the Egregor ransomware. The company said it had strong protections in place, but was nevertheless forced to postpone certain non-urgent interventions.
The guarantee of the backup is not sufficient
The double extortion, or double ransom, characteristic of this new type of ransomware, calls into question the defense put in place by most organizations, ie rely on robust backups in the event of file encryption by attackers. “Egregor made its appearance a few months ago, but it was especially in September that the group began to carry out its attacks all over the world, around the time when the Maze group announced the end of its activities, "explained Jen Miller-Osborn, assistant director of threat intelligence for Unit 42 at Palo Alto Networks.
" If you have good working offline backups, the situation is much less serious if you are a victim of ransomware, ”she added. "The business impact and the downtime of the business are not zero, but you have already built this into your recovery plan based on these backups." Groups like Egregor “understood the principle”. They tell victims, "We have already stolen your data, so you have to pay us for it." Or,they threaten to make them public and to ruin or at least damage the reputation of the company. "Such an argument makes the backup guarantee, which has worked for so long, no longer sufficient," said Jen Miller-Osborn. “This is the tactic used by the Maze Group, and Egregor is doing the same.”
Increased vigilance on phishing
Á l Like Maze, Egregor is sold as ransomware as a service (RaaS), that is, the cybercriminal group sells or leases its malware to other people for use. for malicious purposes. Several Maze affiliates have switched to Egregor. "So it looks like, in terms of popularity and profitability, the Egregor ransomware will succeed Maze until another more inventive player comes up with a more creative variant of Egregor," Miller-Osborn added. “Stronger protections can help businesses protect themselves againstEgregor's double ransom, ”Ms. Miller-Osborn also said. "In general, a ramsomware attack is not particularly complicated.
In most cases, this type of malware is not the stealth type. Many ransomware infections occur as a result of phishing attacks. "It is without a doubt the most common vector of infection". Better protection and awareness of phishing could therefore help. “Be careful when opening your emails, don't click on any link. This is the kind of advice you keep repeating, but it is the easiest thing you can do to avoid a ransomware attack. ”
Sanctuarize sensitive data
"Companies can also take other measures internally, including keeping their most sensitive data in enclaves," said Jen Miller-Osborn. "Basically, it'sto avoid flat network topologies and identify the most sensitive data or the data the loss of which could be most damaging to the business. " For the most sensitive data, "companies should provide an additional indicator, with higher level security controls than they could use for other parts of the network," she recommended. “Obviously, all of this costs money and is not trivial.”
Any business should also be aware that its highly sensitive data can also be the target of hackers sponsored by a potential competitor or backed by a state, so investing in the protection of this type of data is also recommended. “The sensitive data sought and exfiltrated by ransom actors is often the same data that spies might target,” Miller-Osborn said. "It is therefore important that this data is better protected.higher and more difficult to access, ”she added. "Better awareness and increased network protection help stop and block ransomware," Miller-Osborn said. "All you need to do is have the right security components, configure them correctly, and have them placed in the right places. It 'sa question of security posture design. ”
Keeping an eye on the life of the groups
Regarding the link between Egregor and the Maze group,“ there is no compelling evidence of a connection between the two groups, but a lot of little clues make us believe that they are the same people, ”said Jen Miller-Osborn. It is not uncommon in the world of malware for an individual or group to claim to end their activities and then see them reappear under a new name, when it is always the same person or people. "Their motivation is that at some point they are toovisible, there are too many press articles about them, and there are also too many law enforcement agencies looking for them, "she explained.
" All that "They are trying to do is take their distance from that previous family, for whatever reason". Unfortunately, this new type of ransomware launched by Egregor is very damaging, and it will not end anytime soon. "It will continue and more and more actors, especially on the criminal side, will start to take advantage of the situation, because they potentially know that they can make a lot of money from this malware."
Aucun commentaire:
Enregistrer un commentaire