A recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months, like other gangs Maze and Sodinokobi, Egregor also threatens to leak data
The cybercriminals linked to Egregor are also taking a page from the Maze playbook, creating a “news” site on the darknet that offers a list of victims that have been targeted and updates about when stolen and encrypted data will be released.
“Egregors’ ransom note also says that aside from decrypting all the files in the event the company pays the ransom, they will also provide recommendations for securing the company’s network, ‘helping’ them to avoid being breached again, acting as some sort of “black hat pentest team,” .
It’s not clear how much ransom the operators behind Egregor are demanding or if any data has been leaked.A copy of one ransom note posted online notes the cybercriminals plan to release stolen data.
Bypassing AV Detection
The Egregor variant appears to be a spinoff of another ransomware strain called Sekhmet, which has also been linked to criminal gangs threatening to release encrypted and stolen data if victims don’t pay .
The Appgate analysts noted that the Appgate ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code “unpacks” itself in memory as a way to avoid detection by security tools. Without the right decryptor key, it’s difficult to analyze the full ransomware payload to learn additional details about how the malware works.
“The Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided,”.
The Egregor ransom note is vague and offers few clues about how the malware works and how the operators behind it will decrypt files once the ransom is paid.
Data Leak Threats
While it’s not clear whether any data related to Egregor ransomware attacks has been leaked, security experts note that more cybercriminal gangs are using this technique to force victims to pay or as a warning to others.