The Egregor is a recently recognized ransomware variant that was initially exposed in September 2020 and has been identified in numerous sophisticated attacks on organizations globally, together with the gaming industries and researchers cautions this ransomware variant is only just getting on track.
The method used in this attack is naturally breached into organizations, thieving sensitive data or information, and running the malware to encode their documents and it threatens Mass-Media release of company/business information if the ransom has not paid in correct time.
Egregor Ransomware Attack
Egregor is undoubtedly the most destructive ransomware variant in terms of compromise with the sufferers or victims. Attackers give only 3 days to interact with them. The data is release to the public through the invader’s website if the ransom is not reward in time.
Egregor is still quite an anonymous secret when it comes to how it is distribute in the attack and who is behind the attack. Not much information about the attack is identify at this point but assumptions consist of theories that the ransomware attack Egregor is the recipient of Maze(another known famous ransomware attack).
after that attack, they declared they were closing down their actions in late October, this year. This statement is support by the close resemblances between the two attacks.
FROM COMMODITY MALWARE INFECTION TO RANSOMWARE
Since Egregor is a quite new player, not numerous events including it are covers and detail at this time, including info or data about the infection chain. The information obtained so far advises that the primary infection starts with a phishing email that covers a malicious macro surrounded in an attached file.
The macro code copies a commodity malware, also Qbot icedID or Ursnif, which offers abilities for stealing sensitive data or info that will later be used for the lateral program. This practice, which includes using commodity malware as a primary infection and eventually distributes ransomware, was observe before with Ryuk ransomware and Maze.
Later in the attack, a CobaltStrike beacon is install on the infected system, and the attack changes to a cooperative hacking process. The attacker uses tools for inspection such as Adfind and Sharphound to gather info or data about users, groups, computers, and so on. This info or data will support in the lateral program phase and also in executing privilege escalation, as Egregor compromises Active Directory in order to turn out to be an admin of the domain.
In this stage, after the malware settles on the target’s system, it starts communications to the C2 in order to copy extra components together with scripts, DLLs, and further documents. that will be used in the end to exfiltrate information and encrypt documents.
Some anti-virus measures to prevent egregor
Tip-1:
Safeguard integrity of the codes being use in the database and generating an email authentication system to avoid spam by sensing email spoofing by which the maximum number of the ransomware samples effectively reaches the corporate email boxes.
Tip-2:
Preserve updated anti-virus software on all systems and don’t open add-ons or files in unwanted or spontaneous e-mails, even if they come from individuals in your connection list, and never connect on a URL contained in an unwanted email, even if the link appears genuine.
Tip-3:
In cases of genuine URLs, one should close the email and go to the organization’s internet site straight over the browser.
Tip-4:
It also recommended that security managers must deactivate remote desktop connections and employ minimum-privileged accounts.
Tip-5:
limiting users who can log in via remote desktop and setting an account lockout policy comprise of some of the further counter-actions recommended crisscrossing ransomware attacks in the advisor.
written by: Vishnu Kuttan
Reviewed By: Sayan Chatterjee
If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs