Ransomware: Egregor, cybercrime relief

What is an Egregor? At the 'origin, the term "egregore" comes from an esoteric concept sometimes taken up in the world of management designating "a group spirit formed by the aggregation of the intentions, energies and desires of several individuals united in a well-defined goal. ”The term was therefore well chosen to designate this new group of cybercriminals, operating on the model of ransomware as a service, which appeared in September 2020. The FBI this week published an alert concerning the attacks carried out by this group, while the Anssi published a report last month on the group's activities.

advertisement

Ransomware: one lost, ten found

In the space of a few months, the group has attracted a lot of attention, by claiming on its various websites more than 150 victims, whose companies Crytek and Ubisoft in October 2020. In its report, Anssi confirms “at least 69 targeted organizations” including some French companies. The appearance of the group also coincides with the retirement of the famous Maze group, which announced the end of its activities at the beginning of November 2020. For Anssi, “it is possible that the strong visibility acquired by the Maze group hasit forces the group to end the project. Some of the members would then have developed Sekhmet in the event of the closure of the Maze Project. Sekmhet having proven himself, the latter would have become Egregor following this closure. The many technical similarities between the three ransomware are another argument in favor of this theory.

Egregor does not innovate deeply in the area of ​​cybercrime: the FBI and Anssi agree on the fact that the economic model chosen by the group's operators is that of ransomware as a service, ransomware developers making their malware available to third-party actors (affiliates) who infiltrate the victimized businesses and install the software.

Little is known about the infection vectors used to attack victims, Anssi said, but the agency mentions the use of phishing campaigns with malicious attachments as well as theuse of illegitimate access via RDP. The FBI points to these same vectors, as well as attacks targeting VPNs, different elements that have become standard in the arsenal of cybercriminals.

Once the cybercriminals have set foot in the victim's network , the use of penetration testing tools like Cobalt Strike is attested, as well as legitimate tools like Psexec L'Anssi also mentions the use of Sharphound , an internal network mapping tool, as well as the Active Directory query tool AdFind . The group has egAlso used known malware: the banking trojan Qakbot , as well as the Ursnif and IcedID . These different tools are used by attackers to move around the compromised network, elevating their privileges until they can trigger ransomware on the network after deleting the backups accessible on the network. Operators have also been known to steal data before encrypting the target's files, a tactic also prevalent among these groups.

Regional preferences

The ransomware used by Egregor uses the ChaCha and RSA 2048-bit encryption algorithms to encrypt the filesyesterday from these targets, which means that at this time no way to decrypt the files is known (apart from the decryption key held by the cybercriminals). The Anssi nevertheless indicates that the ransomware contains a mechanism for detecting the language of the operating system: if the system is configured in Russian, Ukrainian, Armenian or other languages ​​of countries belonging to the CEI , the ransomware will not encrypt the files.

The Agency report ends by recalling the best practices to protect against attacks from Egregor (but these are valid for almost all current ransomware groups): have backups at up to date and disconnected from the internal network, apply security patches (especially on VPNs), disable macros for office solutions and be particularly vigilant on RDP connections are part of the rrecommendations. The FBI's recommendations are of the same order, calling on companies to be particularly vigilant with regard to the security vulnerabilities recently detected in the RDP protocol (CVE-2020-0609, CVE-2020-0610, CVE-2020-16896, CVE -2019- 1489, CVE-2019-1225, CVE-2019-1224, CVE-2019-1108).