FBI Warns Egregor Ransomware Actors Actively Extorting Entities

January 07, 2021 - All private sector organizations are being urged to be on the alert for potential malicious activities from the threat actors behind Egregor ransomware. The FBI alert warns the hacking group is actively targeting and exploiting a range of global businesses.

Security researchers believe Egregor is the follow-up variant for the threat actors behind Maze: one of the first hackers to popularize the double extortion technique. The group heavily targeted the healthcare sector throughout its reign.

Emsisoft Threat Analyst Brett Callow previously explained to HealthITSecurity.com that Egregor's methods bear hallmarks to the Maze attacks, which include data exfiltration and using the threat of its release as further leverage to extort a payment from victims. 

Egregor and Sekhmet threat actors have been observed inserting Maze code into their variants.

Most recently, Egregor hackers posted data they claim to have stolen from Delta Dental Plans Association. The group was also allegedly behind the ransomware attack on the GBMC HealthCare in Maryland.

The new FBI alert warns that Egregor has already claimed 150 victims worldwide since the group emerged in September.

“Once a victim company’s network is compromised, Egregor actors exfiltrate data and encrypt files on the network,” FBI officials wrote. “The ransomware leaves a ransom note on machines instructing the victim to communicate with the threat actors via an online chat.”

“Egregor actors often utilize the print function on victim machines to print ransom notes,” they added. “If the victim refuses to pay, Egregor publishes victim data to a public site.”

The FBI believes Egregor operates as a ransomware-as-service model, which allows multiple threat actors to collaborate through a single intrusion and ransomware event. The model was previously outlined in reports that warned hackers were teaming up with other cybercriminals to increase the impact of attacks and to take advantage of stolen data.

Some of these groups, led by Egregor and other popular variants, have also shifted their operations into cloud-based services to increase monetization of their hacking efforts.

For the recent Egregor attacks, the FBI warned that a large number of actors are involved in deploying the payload. As a result, the tactics, techniques, and procedures can drastically vary, which makes it difficult to detect and mitigate the attacks.

Further, the ransomware leverages multiple exploits to compromise networks and or devices, including phishing emails with malicious attachments and exploits of the remote desktop protocol (RD) and Virtual Private Networks (VPNs).

What’s worse, the hackers exploiting RDP in these attacks use the port as a foothold to then proliferate across the enterprise network through connected devices.

“Once Egregor gains access to a network, the ransomware affiliates use common pen testing and exploit tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and move laterally across a network, and tools like Rclone (sometimes renamed or hidden as a svchost) and 7zip to exfiltrate data,” according to the alert.

The FBI again reminded organizations that paying the ransom is not ideal or recommended as it further emboldens hackers to continue these targeted efforts. Victims should instead contact the FBI, which can assist in the prevention of further attacks.

It's important to note that research found paying the ransom can actually double the overall costs of ransomware recovery.

Entities should implement recommended mitigations to prevent falling victim, including backing up critical data offline in the cloud or on an external storage device or drive. Backups should be secured, and administrators should ensure data is not accessible for modification or deletion from the system where the data resides.

Anti-malware and antivirus should be routinely installed and updated on all systems. Entities also need at least two-factor authentication on all applicable endpoints.

Patch management must be prioritized on public-facing remote access products and applications, including RDP. RDP must also be securely configured to prevent unauthorized access, including the implementation of multi-factor authentication or the use of strong passwords.

Lastly, administrators should review suspicious .bat and .dll files, as well as files with recon data and exfiltration tools.

Healthcare entities can also review previous guidance from the Office for Civil Rights, which provides insights into mitigation and response needs for targeted ransomware attacks, like Egregor.