Qakbot 🐎 ->Prolock ☠️-> Egregor 👹

Group-IB discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware.

ProLock = Egregor

The analysis of attacks where Egregor has been deployed revealed that the TTPs used by the threat actors are almost identical to the ones used by the ProLock operators.

First, the initial access is always gained via QakBot delivered through malicious Microsoft Excel documents impersonating DocuSign-encrypted spreadsheets. Moreover, Egregor operators have been using Rclone for data exfiltration – same as with ProLock. Same tools and naming convention have been used as well, for example md.exe, rdp.bat, svchost.exe.

Egregor operators leverage the intimidation tactics, they threaten to release sensitive info on the leak site they operate instead of just encrypting compromised networks. The biggest ransom demand was at $4 million worth of BTC till now.

Egregor operators in a spam of 3 months have managed to successfully hit 69 companies around the world with 32 targets in the US, 7 victims in France and Italy each, 6 in Germany, and 4 in the UK. Other victims happened to be from the APAC, the Middle East, and Latin America. Egregor’s favorite sectors are Manufacturing (28.9% of victims) and Retail (14.5%).

Egregor ransomware sample obtained during a recent incident response engagement revealed that the executable code of Egregor is very similar to Sekhmet.

Egregor source code bears similarities with Maze ransomware as well. The decryption of the final payload is based on the command-line provided password.Egregor operators use the combination of ChaCha8 stream cipher and RSA-2048 for file encryption.

The use of CobaltStike and QakBot is to watch when hunting for Egregor. More threat hunting and detection tips from Group-IB DFIR team as well as a detailed technical analysis of Egregor operations are available in Group-IB’s blog.

Egregor strikes printers

The Egregor ransomware uses a novel approach to get a victim’s attention after an attack – shoot ransom notes from all available printers.

Ransomware gangs know that many businesses would rather hide a ransomware attack than make it public, including to employees, for fear of the news affecting stock prices and their reputation.

To increase public awareness of the attack and pressure a victim into paying, the Egregor operation is known to repeatedly print ransom notes from all available network and local printers after an attack.

It has been aware of this tactic, it wasn’t until last weekend after Egregor’s attack on retail giant Cencosud that we saw it in action.

A closeup lookup of the printout, this is the same ransom note created on computers being printed to a receipt printer.

Instead, it is believed that the ransomware attackers utilize a script at the end of an attack to print out ransom notes to all available printers.

Netwalker… Made a brief walk on Argentina border ⛔

Argentina’s immigration agency, Dirección Nacional de Migraciones (DNM), was the victim of a ransomware attack that temporarily halted border crossings, with hackers demanding $4 million in Bitcoin.

The attack was first reported by the Argentinean government on August 27 to the country’s cybercrime agency, after multiple calls from border checkpoints suggested their computer networks were compromised.

Border authorities found that their computer systems, including apps and shared folders, were hit by an unidentified virus in the small hours. They took swift action and shut down central servers to prevent the virus from propagating to other systems over the network

All Argentinean immigration offices and control posts were put out of service for four hours until they were brought online again.

“The Comprehensive Migration Capture System (SICaM) that operates in international crossings was particularly affected, which caused delays in entry and exit to the national territory,” the DNM stated.

Ransomware attackers demand $4m in Bitcoin

The attackers were later identified by authorities as NetWalker, a ransomware operation that targets corporate computer networks. Its usual pattern of attack is to encrypt or password protect the files.. inturn demand a ransom

The NetWalker hackers who attacked Argentina’s immigration agency flashed a payment message leading to a Tor network page, demanding $2 million in Bitcoin as ransom. This figure was then changed to $4 million after seven days, approximately 355 Bitcoin at the time.

Ransomwares are becoming a nightmare to all organization either a government or private…