Qakbot 🐎 ->Prolock ☠️-> Egregor 👹

Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.

Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.

Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

Egregor strikes printers

The Egregor ransomware uses a novel approach to get a victim’s attention after an attack – shoot ransom notes from all available printers.

Ransomware gangs know that many businesses would rather hide a ransomware attack than make it public, including to employees, for fear of the news affecting stock prices and their reputation.

To increase public awareness of the attack and pressure a victim into paying, the Egregor operation is known to repeatedly print ransom notes from all available network and local printers after an attack.

It has been aware of this tactic, it wasn’t until last weekend after Egregor’s attack on retail giant Cencosud that we saw it in action.

A closeup lookup of the printout, this is the same ransom note created on computers being printed to a receipt printer.

Instead, it is believed that the ransomware attackers utilize a script at the end of an attack to print out ransom notes to all available printers.

Maze shutting down finally 💫

The Maze cybercrime gang is shutting down its operations that began its operation in may 2019 after rising to become one of the most prominent players performing ransomware attacks.

A double-extortion tactic introduced by Maze to exfilterates the data before encryption

Once encrypted, they demand ransom . If victim fails to pay they publish those data in maze site which started to be in limelight

This double-extortion technique was quickly adopted by other large ransomware operations, including REvil, Clop, DoppelPaymer, who released their own data leak sites. This double-extortion technique has now become a standard tactic used by almost all ransomware operations.

Maze continued to evolve ransomware operations by forming a ransomware cartel with Ragnar Locker and LockBit, to share information and tactics.

During their year and a half cybercrime spree, Maze has been responsible for attacks on notable victims, including Southwire, City of Pensacola, Canon, LG Electronics, Xerox, and many more.

Maze started to shut down six weeks ago
In a similar manner as GandCrab did in 2019.lastly Barnes and Noble ransomware attack.

This threat actor stated that they take part in ransomware attacks by compromising networks and stealing Windows domain credentials. The compromised networks are then passed to affiliates who deploy the ransomware.

Maze has started to remove victims that they had listed on their data leak site. All that is left on the site are two victims and those who previously and had all of their data published.The cleaning up of the data leak site indicates that the ransomware operation’s shutdown is imminent.

It is not uncommon for ransomware operations to release the master decryption keys when they shut down their operation, as was done with Crysis, TeslaCrypt, and Shade.

Maze affiliates have switched over to a new ransomware operation called Egregor which began operating in the middle of September, just as Maze started shutting down their encryption operation.

This is believed to be the same underlying software as both Maze and Sekhmet as they utilize the same ransom notes, similar payment site naming, and share much of the same code.

This was also confirmed by a ransomware threat actor who stated that Maze, Sekhmet, and Egregor were the same software.when a ransomware operation shuts down, it does not mean the threat actors involved retire as well. They just move to the next ransomware operation.

Egregor Ransomware ! Blessing in disguise

A recently uncovered ransomware variant called Egregor that appears to have infected about a dozen organizations worldwide over the past several months, like other gangs Maze and Sodinokobi, Egregor also threatens to leak data

The cybercriminals linked to Egregor are also taking a page from the Maze playbook, creating a “news” site on the darknet that offers a list of victims that have been targeted and updates about when stolen and encrypted data will be released.

“Egregors’ ransom note also says that aside from decrypting all the files in the event the company pays the ransom, they will also provide recommendations for securing the company’s network, ‘helping’ them to avoid being breached again, acting as some sort of “black hat pentest team,” .

It’s not clear how much ransom the operators behind Egregor are demanding or if any data has been leaked.A copy of one ransom note posted online notes the cybercriminals plan to release stolen data.

Bypassing AV Detection

The Egregor variant appears to be a spinoff of another ransomware strain called Sekhmet, which has also been linked to criminal gangs threatening to release encrypted and stolen data if victims don’t pay .

The Appgate analysts noted that the Appgate ransomware uses several types of anti-analysis techniques, including code obfuscation and packed payloads, which means the malicious code “unpacks” itself in memory as a way to avoid detection by security tools. Without the right decryptor key, it’s difficult to analyze the full ransomware payload to learn additional details about how the malware works.

“The Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided,”.

The Egregor ransom note is vague and offers few clues about how the malware works and how the operators behind it will decrypt files once the ransom is paid.

Data Leak Threats

While it’s not clear whether any data related to Egregor ransomware attacks has been leaked, security experts note that more cybercriminal gangs are using this technique to force victims to pay or as a warning to others.