Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.
ProLock = Egregor
The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.
First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.
Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.
Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).
Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.
Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.
The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.
The Egregor ransomware uses a novel approach to get a victim’s attention after an attack – shoot ransom notes from all available printers.
Ransomware gangs know that many businesses would rather hide a ransomware attack than make it public, including to employees, for fear of the news affecting stock prices and their reputation.
To increase public awareness of the attack and pressure a victim into paying, the Egregor operation is known to repeatedly print ransom notes from all available network and local printers after an attack.
It has been aware of this tactic, it wasn’t until last weekend after Egregor’s attack on retail giant Cencosud that we saw it in action.
A closeup lookup of the printout, this is the same ransom note created on computers being printed to a receipt printer.
Instead, it is believed that the ransomware attackers utilize a script at the end of an attack to print out ransom notes to all available printers.
Ransomware-as-a-Service is a cyber-security term referring to criminal gangs that rent ransomware to other groups, either via a dedicated portal or via threads on hacking forums.
RaaS portals work by providing a ready-made ransomware code to other gangs. These gangs, often called RaaS clients or affiliates, rent the ransomware code, customize it using options provided by the RaaS, and then deploy in real-world attacks via a method of their choosing.
Payments from these incidents, regardless of how the affiliates managed to infect a victim, go to the RaaS gang, who keeps a small percentage and then forwards the rest to the affiliate.
RaaS offerings have been around since 2017, and they have been widely adopted as they allow non-technical criminal gangs to spread ransomware without needing to know how to code and deal with advanced cryptography concepts.
The RaaS tiers
According to a report published today by Intel 471, there are currently around 25 RaaS offerings being advertised on the underground hacking
While there are ransomware gangs who operate without renting their “product” to other groups, the number of RaaS portals available today far exceeds what many security experts thought could be available and shows the plethora of options that criminal gangs have at their disposal if they ever choose to dip their toes in the ransomware game.
But not all RaaS offerings provide the same features. Intel 471 says it’s been tracking these services across three different tiers, depending on the RaaS’ sophistication, features, and proven history.
Tier 1 is for the most well-known ransomware operations today. To be classified as a Tier 1 RaaS, these operations had to be around for months, proven the viability of their code through a large number of attacks, and continued to operate despite public
This tier includes the likes of REvil, Netwalker, DopplePaymer, Egregor (Maze), and Ryuk.
With the exception of Ryuk, all Tier 1 operators also run dedicated “leak sites” where they name-and-shame victims as part of their well-oiled extortion cartel.
These gangs also use a wide variety of intrusion vectors, each depending on the type of affiliates they recruit. They can breach networks by exploiting bugs in networking devices (by recruiting networking experts), they can drop their ransomware payload on systems already infected by other malware (by working with other malware cartels), or they can gain access to company networks via RDP connections (by working with brute-force botnet operators or sellers or compromised RDP credentials).null
Tier 2 is for RaaS portals that have gained a reputation on the hacking underground, provide access to advanced ransomware strains, but have yet to reach the same number of affiliates and attacks as Tier 1 operators.
This list includes the likes of Avaddon, Conti, Clop, DarkSide, Mespinoza (Pysa), RagnarLocker, Ranzy (Ako), SunCrypt, and Thanos — and these are effectively the up-and-comers of the ransomware world.
Tier 3 is for newly launched RaaS portals or for RaaS offerings about which there’s limited to no information available. In some cases, it is unclear if any of these are still up and running or if their authors gave up after trying and failing to get their portals off the ground.null
This list currently includes the likes of CVartek.u45, Exorcist, Gothmog, Lolkek, Muchlove, Nemty, Rush, Wally, Xinof, Zeoticus, and (late arrival) ZagreuS.
All in all, while the underground cybercrime ecosystem is generating profits through criminal activity, it is still a market, and, just like all markets, it is governed by the same principles that guide any other market today.
A large number of service providers is the tell-tale sign of a booming economy that is far from being saturated. Saturating the RaaS market will only happen when criminals create more RaaS portals than affiliate groups are willing to sign up for or when companies bolster their security measures, making intrusion harder to carry out, drying up profits for crooks.